Building Data Privacy and Data Security clauses

Most disputed terms WCC ranking: 

28

Data Privacy

Most important terms WCC ranking: 

8

Most negotiated terms WCC ranking: 

17

Most disputed terms WCC ranking: 

26

Data Security

Most important terms WCC ranking: 

7

Most negotiated terms WCC ranking: 

19

What is a Data Privacy clause?

Data Privacy clauses will generally deal with the way in which data (usually Personal Information) must be handled.

What is a Data Security clause?

Data Security clauses usually provide what the Provider must do to protect the Protected Data against unauthorised third-party access and malicious attacks.

What is a Data Protection clause then?

Data protection clauses are in a way a combination of data privacy and data protection clauses.

Components of Data Privacy and Data Security clauses

What is Protected Data?

Defining Protected Data is important to ensuring balanced and fair data privacy and security provisions.

Generally, Protected Data will be personal information as defined by applicable data privacy and security laws. The aforementioned, however, does not mean that the definition of Protected Data should be limited to Personal Information. The Customer may want a much broader definition of Protected Data that includes all the data that the Customer provides to the Provider. For example:

Protected Data means all information processed or stored through the System by Customer or on Customer’s behalf, and includes, without limitation, information provided by Customer’s customers, employees, and other users and by other third parties, other information generated through use of the System by or on Customer’s behalf, and copies of all such information rendered onto paper or other non-electronic media.

If you are the Provider, you want to use a narrow definition and may even consider carving out certain types of data from the definition. For example:

Excluded Data means personal tax numbers, financial account data, and credit card and other payment card numbers;

Protected Data means personal information as contemplated under applicable data privacy and security laws, but specifically excludes Excluded Data;

If you are the Provider, you don’t want a situation where there is a Data Incident and, for example, credit card data is exposed and there was no need for you in the first place to process any such credit card data. 

If you follow the approach where certain data is excluded, make sure that a warranty is included in the Data Protection Schedule where the Customer warrants that they will not provide any Excluded Data to the Provider.

 

 

TIP!

It may be that you want Protected Data to be regarded as Confidential Information.

If you decide to go this route make sure that you address the situation where there is a conflict between the Data Protection Schedule and the confidentiality provisions.

Handling of Protected Data

 

  • Authorised Persons

A narrow definition of Authorised Persons may favour the Customer. On the other hand, the Provider would want to make sure the definition of Authorised Persons is wide enough to include sub-contractors so that there is no need to obtain written approvals for each sub-contractor.

Authorised Persons should, however, be limited to people who need to handle the data to fulfil the Provider’s obligations under the Agreement.

 

  • Aggregated and anonymised data

A Provider may want to use the Protected Data for its own purposes. Generally, if the Provider wants to use the Protected Data, it needs to be anonymised first. If you are the Customer, you would want to make sure that if the Protected Data is anonymised, such a process must and cannot be reversed.

 

  • Personal Information requests

Privacy legislation generally provides certain rights to data subjects when it comes to their Personal Information. For example, the “right to know,” delete, or the “right to be forgotten”. As a Customer, you may want to impose certain obligations on the Provider if a personal information request is directed at the Provider.

Access, location and deletion of Protected Data

If you are the Customer, you want to control the access, location and deletion of Protected Data.

Data privacy laws may determine certain requirements if Protected Data is moved cross-border. As a Customer, you do not want to be exposed to a situation where Protected Data is moved cross-border to a jurisdiction with less stringent data privacy and data security laws than those applicable within the current jurisdiction.

As a Customer, you can also consider specifying certain data centres within the current jurisdiction where data can be stored.

As Provider, the commercials of the transaction must be kept in mind when considering access, location and deletion of Protected Data. It may be useful to reserve a right to charge fees and costs for time spent assisting the Customer with providing access, deleting and moving Protected Data.  

 

 

 

TIP!

If you are acting for the client/customer, the typical licence you would require in this regard is a worldwide, no-charge, royalty-free, perpetual, irrevocable, exclusive, sublicensable licence.

What is Foreground IPR

Basically, anything that is created as a result of the activities conducted under the Agreement.

Here is an example definition:

Foreground IPR means all Intellectual Property Rights that arise as a result of or in the context of any activity pursuant to this Agreement.

Who owns the Foreground IPR

Most of the time the Foreground IPR will be owned by the client/customer paying for the work. There are situations where the Provider would want to own the Foreground IPR. If this is this case, the Provider will need to provide a licence to the client/customer to enable them to use the Foreground IPR.

If the client/customer will be owning the Foreground IPR, it is also possible to exclude certain IP that will not be owned by the client/customer. In other words, to carve out certain Foreground IP that will be owned by the Provider. This approach may be an acceptable compromise during tough negotiations but should be treated with caution.

TIP!

If you are acting for the client/customer, and when Foreground IP is carved out in favour of the Provider, make sure that a perpetual licence is provided to the client/customer with all the usual rights (in other words, the client can use, modify, create derivative works etc. under the licence.)

Obligations relating to Foreground IPR

The Provider will likely be creating most of the Foreground IPR. To enable the client/customer to exercise their rights, the Provider will need to provide the client/customer with all documents and info relating to the Foreground IPR and may need to sign a couple of documents to register the Foreground IPR. Ensure that the obligations surrounding the Foreground IPR are expressly stated and that you also stipulate who foots the bill to fulfil the Foreground IPR obligations.

FAQ Question 1

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

FAQ Question 2

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

FAQ Question 3

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Table of Contents