How to build a data protection clause

In this article, we have a look at some of the important aspects that must be kept in mind when drafting data privacy and data protection provisions.

Most disputed terms WCC ranking: 

Data privacy: 28

Data security: 26

Most important terms WCC ranking: 

Data privacy: 8

Data security: 7

Most negotiated terms WCC ranking: 

Data privacy: 17

Data security: 19

What is a Data Privacy clause?

Data Privacy clauses will generally deal with the way in which data (usually Personal Information) must be handled.

What is a Data Security clause?

Data Security clauses usually provide what the Provider must do to protect the Protected Data against unauthorised third-party access and malicious attacks.

What is a Data Protection clause then?

Data protection clauses are in a way a combination of data privacy and data protection clauses.

Do data protections apply globally?

Data protection laws do not apply globally per se, as each law is specific to a country or region. However, some laws have extraterritorial reach, meaning they can apply to organizations located outside of their respective jurisdictions if certain conditions are met. The most prominent example of this is the European Union’s General Data Protection Regulation (GDPR).

The GDPR applies to organizations located within the EU and organizations located outside the EU if they process personal data of individuals residing in the EU under certain circumstances. These circumstances include:

  1. Offering goods or services to individuals in the EU, irrespective of whether payment is required.
  2. Monitoring the behavior of individuals in the EU, where such behavior takes place within the EU.

Even though the GDPR does not apply globally, its extraterritorial reach means that organizations worldwide may need to comply with its provisions if they process the personal data of EU residents.

Other data protection laws, such as Brazil’s General Data Protection Law (LGPD) and the California Consumer Privacy Act (CCPA), also have provisions that can apply to organizations outside their respective jurisdictions. However, no single data protection law has a truly global application. Organizations must be aware of the data protection laws in each country or region where they operate or process personal data of residents and comply with the relevant regulations accordingly.

What is a restricted data transfer?

Building blocks of Data Privacy and Data Security clauses

building blocks of data privacy and data security provisions

What is Protected Data?

Defining Protected Data is important to ensuring balanced and fair data privacy and security provisions.

Generally, Protected Data will be personal information as defined by applicable data privacy and security laws. The aforementioned, however, does not mean that the definition of Protected Data should be limited to Personal Information. The Customer may want a much broader definition of Protected Data that includes all the data that the Customer provides to the Provider. For example:

Protected Data means all information processed or stored through the System by Customer or on Customer’s behalf, and includes, without limitation, information provided by Customer’s customers, employees, and other users and by other third parties, other information generated through use of the System by or on Customer’s behalf, and copies of all such information rendered onto paper or other non-electronic media.

If you are the Provider, you want to use a narrow definition and may even consider carving out certain types of data from the definition. For example:

Excluded Data means personal tax numbers, financial account data, and credit card and other payment card numbers;

Protected Data means personal information as contemplated under applicable data privacy and security laws, but specifically excludes Excluded Data;

If you are the Provider, you don’t want a situation where there is a Data Incident and, for example, credit card data is exposed and there was no need for you in the first place to process any such credit card data. 

If you follow the approach where certain data is excluded, make sure that a warranty is included in the Data Protection Schedule where the Customer warrants that they will not provide any Excluded Data to the Provider.

It may be that you want Protected Data to be regarded as Confidential Information. If you decide to go this route make sure that you address the situation where there is a conflict between the Data Protection Schedule and the confidentiality provisions.

Handling of Protected Data - Authorised Persons

A narrow definition of Authorised Persons may favour the Customer. On the other hand, the Provider would want to make sure the definition of Authorised Persons is wide enough to include sub-contractors so that there is no need to obtain written approvals for each sub-contractor.

Authorised Persons should, however, be limited to people who need to handle the data to fulfil the Provider’s obligations under the Agreement.

Handling of Protected Data - Aggregated and anonymised data

A Provider may want to use the Protected Data for its own purposes. Generally, if the Provider wants to use the Protected Data, it needs to be anonymised first. If you are the Customer, you would want to make sure that if the Protected Data is anonymised, such a process must and cannot be reversed.

Handling of Protected Data - Personal Information requests

Privacy legislation generally provides certain rights to data subjects when it comes to their Personal Information. For example, the “right to know,” delete, or the “right to be forgotten”. As a Customer, you may want to impose certain obligations on the Provider if a personal information request is directed at the Provider.

Access, location and deletion of Protected Data

If you are the Customer, you want to control the access, location and deletion of Protected Data.

Data privacy laws may determine certain requirements if Protected Data is moved cross-border. As a Customer, you do not want to be exposed to a situation where Protected Data is moved cross-border to a jurisdiction with less stringent data privacy and data security laws than those applicable within the current jurisdiction.

As a Customer, you can also consider specifying certain data centres within the current jurisdiction where data can be stored.

As Provider, the commercials of the transaction must be kept in mind when considering access, location and deletion of Protected Data. It may be useful to reserve a right to charge fees and costs for time spent assisting the Customer with providing access, deleting and moving Protected Data.  

Data security audits & certifications

Generally, the two standards that will be considered will be ISO 27001 and SOC 2.

A difference between ISO 27001 and SOC 2 is that SOC 2 is not a certification. If you pass the ISO 27001 requirements, then your business is ISO 27001 certified. However, in the case of SOC 2, the auditor issues a formal report, confirming whether or not you met the relevant criteria. 

ISO 27001 is a common European procurement requirement and is internationally recognized as the highest standard in information security. In the US market, many Customers will want the reassurance that the Provider is SOC 2 compliant.

Minimum safeguards

If you acting for the Customer, especially in the situation where the Provider is not required to produce an ISO 27001 certificate or an SOC2 report, you want to place certain contractual obligations on the Provider regarding data security.

Or, if there is a requirement that the Provider produces a ISO 27001 certificate or an SOC2 report, there are situations where the Customer may require further measures to be put in place that goes beyond what is required under ISO 27001/ SOC2.

Data incidents & deletion of data

Data Incidents

When considering provisions relating to Data Incidents, the definition of a Data Incident is a good point of departure.

Generally, Data Incidents include the unauthorised disclosure of, access to, or use of Protected Data. 

As Provider, you may want to consider narrowing the above broad and general definition to more specific scenarios where, for example, an unauthorised third-party obtains and threatens the distributions of Protected Data.

The obligations placed on the Provider relating to Data Incidents require detailed consideration. Examples of these obligations include:

  • Notifying the Customer
  • Cooperation with law enforcement
  • Assistance with notifying third parties whose data may have been exposed

 

Most of these obligations are generally aimed at damage control. However, a Customer may want to add obligations that require compensation, in some form, as a result of the Data Incident. 

As a Customer, you want to be in control of whatever happens after the occurrence of a Data Incident. As Provider, you do not want to be subjected to obligations that will be detrimental to your business financially.

 

Deletion of data

As a Customer, you want to have certain rights regarding the deletion of Protected Data.

Making sure that erasure leaves no data readable, decipherable, or recoverable may be expensive. Therefore, as Provider, you may want to consider adding provisions that the data deletion will be done using commercially feasible methods.

Data protection indemnity

The remedies and relief for breach of the Data Protection Schedule or the Data Protection Laws are usually addressed by an indemnity (see How to build an indemnity clause).

Breach & equitable relief

A Customer may also want to include a provision stipulating that a breach of the Data Protection Schedule will be deemed material with the hope that this will help them terminate the Agreement for cause if there is a breach.

Measures of pseudonymization and encryption of personal data

Here are a couple of examples of measures of pseudonymisation and encryption of personal data that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Data Masking: The Data Processor needs to hide personal data using standard techniques, making it hard to identify the individual from the altered data.

  • Irreversible Masking: The Data Processor must ensure that once the data is masked, it cannot be changed back to the original form or used to identify the person it belongs to.

  • Tokenization: The Data Processor should use a safe system to replace sensitive data with unique, non-sensitive tokens (like codes) that don’t reveal the actual data.

  • Secure Tokens: The Data Processor must make sure that these tokens can’t be connected back to the original data without access to the tokenization system.

  • Secure Storage: The Data Processor needs to store the tokens and their corresponding data mappings separately in a safe, protected environment.

  • Encryption: The Data Processor must use industry-standard methods to protect personal data by scrambling it, both when it’s stored and when it’s being transferred.

  • Encryption Types: The Data Processor should use Advanced Encryption Standard (AES) for symmetric encryption and RSA or ECC for asymmetric encryption, or equally secure alternatives.

  • Key Management: The Data Processor must set up and maintain secure processes to manage encryption keys, including creating, storing, and distributing them.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Here are a couple of examples of measures of measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Access Control: The Data Processor should use appropriate methods to limit access to personal data, allowing only those who absolutely need it.

  • Review Access Permissions: The Data Processor should regularly check and update who has access to personal data, making sure only authorized personnel can access it.

  • Network Segmentation: The Data Processor should separate systems with personal data from other systems or networks to keep them isolated.

  • Enforce Segmentation: The Data Processor should use firewalls, virtual LANs (VLANs), or other suitable technologies to reinforce network separation and reduce the risk of unauthorized access.

  • Intrusion Detection and Prevention: The Data Processor should use systems that monitor and protect networks and systems containing personal data from unauthorized access or attacks.

  • IDPS Updates: The Data Processor should regularly update these systems with the latest threat information and make sure they’re configured to quickly detect and respond to potential security incidents.

  • Security Patch Management: The Data Processor should have a process to quickly find, evaluate, and apply security updates to systems handling personal data.

  • Prioritize Critical Patches: The Data Processor should focus on deploying important security updates first to minimize the risk of known vulnerabilities being exploited.

  • Backup and Disaster Recovery Plan: The Data Processor should have a plan to recover personal data and systems quickly in case of disruptions or failures.

  • Regular Backups: The Data Processor should frequently back up personal data and store copies in secure, geographically separate locations.

  • Redundancy and Fault Tolerance: The Data Processor should use measures like redundant power supplies, RAID configurations, and load balancing to keep systems handling personal data continuously available and resilient.

  • Test and Evaluate: The Data Processor should periodically test these measures to ensure the ongoing reliability of systems and services.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Here are a couple of examples of measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Regular Backups: The Data Processor should frequently back up personal data following a set schedule and backup retention policy.

  • Integrity and Confidentiality: The Data Processor should use suitable encryption and access control methods to keep backed-up personal data secure and accurate.

  • Off-site Storage: The Data Processor should store backup copies of personal data in safe, geographically separate locations to reduce the risk of data loss from local incidents.

  • Physical and Technical Security: The Data Processor should use proper security measures to protect off-site backup storage locations from unauthorized access, theft, or damage.

  • Disaster Recovery Plan: The Data Processor should have a plan outlining how to restore personal data and systems if there’s a disruption or failure, and they should keep this plan updated.

  • Testing the Plan: The Data Processor should regularly test the disaster recovery plan to make sure it works effectively, and staff know how to follow it in case of an incident.

  • Business Continuity Plan: The Data Processor should have a plan that addresses potential risks and impacts on personal data processing due to physical or technical incidents.

  • Review and Update: The Data Processor should periodically review and update the business continuity plan, incorporating lessons learned from incident response exercises, testing, and real-world events.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Here are a couple of examples of processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Security Audits: The Data Processor should regularly check and evaluate the effectiveness of security measures, policies, and procedures related to handling personal data.

  • Fix Deficiencies: The Data Processor should quickly address any weaknesses or vulnerabilities found and show evidence of improvements to the Data Controller.

  • Penetration Testing: The Data Processor should regularly test systems and networks that process personal data by simulating real-world attacks to identify potential weaknesses and vulnerabilities.

  • Independent Professionals: The Data Processor should hire qualified, independent experts to conduct penetration tests and quickly address any issues found.

  • Vulnerability Scans: The Data Processor should routinely scan systems and networks involved in processing personal data, using automated tools and methods to find potential security weaknesses.

  • Fix Vulnerabilities: The Data Processor should quickly address any vulnerabilities found and show evidence of improvements to the Data Controller.

  • Security Awareness Training: The Data Processor should provide regular training to employees handling personal data, ensuring they understand their responsibilities and the security measures needed to protect the data.

  • Training Records: The Data Processor should keep records of completed training and update the training content periodically to address new threats and security best practices.

Measures for user identification and authorization

Here are a couple of examples of measures for user identification and authorization that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • MFA (Multi-Factor Authentication): The Data Processor should require all users accessing systems with personal data to use at least two different types of authentication, like a password, a token, or a biometric feature.

  • RBAC (Role-Based Access Control): The Data Processor should give users permissions and access rights based on their job roles and responsibilities, making sure they only have the minimum access needed to do their jobs.

  • SSO (Single Sign-On): When possible, the Data Processor should use SSO solutions to make it easier for users to access multiple systems with personal data using one login, while still maintaining strict access controls and security measures.

  • Password Policies: The Data Processor should have strong password policies for users accessing systems with personal data, including rules for password complexity, length, and expiration.

  • Secure Password Handling: The Data Processor should also use secure methods for storing, transmitting, and resetting passwords, making sure they are protected from unauthorized access and disclosure.

Measures for the protection of data during transmission

Here are a couple of examples of measures for the protection of data during transmission that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Secure Communication Protocols: The Data Processor should use secure protocols like HTTPS, TLS, or VPNs to encrypt data sent between systems, networks, and users, making sure personal data stays private and safe while being transferred.

  • Email Security: The Data Processor should use email security measures like encryption, digital signatures, and anti-phishing filters to protect personal data sent through email and reduce the risk of unauthorized access or disclosure.

  • Antivirus and Anti-Malware: The Data Processor should keep antivirus and anti-malware software up-to-date on all devices used to access or send personal data, ensuring data transmissions are safe from malicious software and unauthorized access.

  • DLP (Data Loss Prevention): The Data Processor should use DLP solutions to monitor and control the transfer of personal data, stopping unauthorized or accidental data leaks and making sure personal data is only sent to authorized recipients and systems.

Measures for the protection of data during storage

Here are a couple of examples of measures for the protection of data during storage that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Encrypt Stored Data: The Data Processor should encrypt personal data stored in databases or other storage systems, using strong encryption methods like AES-256 or similar.

  • Secure Storage Infrastructure: The Data Processor should have a safe storage environment for personal data, with proper security measures like access controls, firewalls, and intrusion detection and prevention systems.

  • Security Updates: The Data Processor should quickly apply security updates and patches to storage systems, addressing potential vulnerabilities and reducing the risk of unauthorized access to stored personal data.

  • Access Control Policies: The Data Processor should have strict rules for accessing systems and devices storing personal data, allowing only authorized personnel to access them.

  • Monitor and Log Access: The Data Processor should keep track of and record access to stored personal data, allowing for quick detection and response to potential security incidents.

  • Secure Data Disposal: The Data Processor should follow safe procedures to dispose of personal data that is no longer needed or required to be kept, making sure the data is permanently deleted and can’t be recovered or accessed by unauthorized parties.

Measures for ensuring physical security of locations at which personal data are processed

Here are a couple of examples of measures for ensuring physical security of locations at which personal data are processed that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Strict Access Controls: The Data Processor should use strong access controls like card readers, biometric authentication, or security personnel to limit access to areas where personal data is processed, allowing only authorized personnel inside.

  • Security Monitoring: The Data Processor should constantly monitor processing locations using security measures like video surveillance, intrusion detection systems, and alarms to detect and respond to potential security breaches or unauthorized access.

  • Visitor Management: The Data Processor should have a process for managing visitors, including identification, registration, and supervision, to make sure unauthorized people don’t access locations where personal data is processed.

  • Secure Storage Solutions: The Data Processor should use secure storage options like locked cabinets or secure server rooms for physical records with personal data, and maintain a clean desk policy to reduce the risk of unauthorized access or data theft.

  • Environmental Controls: The Data Processor should install and maintain controls like fire suppression systems, climate control, and uninterruptible power supply (UPS) systems to protect processing locations and personal data from damage caused by fire, water, power outages, or other environmental threats.

Measures for ensuring events logging

Here are a couple of examples of measures for ensuring events logging that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  1. Comprehensive Logs: The Data Processor should keep detailed logs of events related to personal data processing, such as access, changes, deletion, transmission, security incidents, and system activities.

  2. Log Retention Policy: The Data Processor should have a policy for how long logs are kept and the secure storage methods used to protect logs from unauthorized access, tampering, or deletion.

  3. Log Monitoring and Analysis: The Data Processor should regularly review logs for any suspicious or unauthorized activities, making sure potential security incidents are quickly detected and addressed.

  4. Restricted Access to Logs: The Data Processor should allow only authorized personnel to access event logs, using appropriate access controls to protect logs from unauthorized access, tampering, or deletion.

  5. Auditable Trail of Events: The Data Processor should maintain a clear and auditable record of events related to personal data processing, allowing for the reconstruction of activities and providing evidence of compliance with data protection requirements.

Measures for ensuring system configuration, including default configuration

Here are a couple of examples of measures for ensuring system configuration, including default configuration that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Secure Baseline Configurations: The Data Processor should set up secure baseline configurations for systems processing personal data, using industry best practices and security standards to minimize potential risks and vulnerabilities.

  • Configuration Management Process: The Data Processor should have a process for tracking, controlling, and documenting changes to systems and their configurations, making sure that any changes are properly authorized, tested, and documented.

  • Review and Update Configurations: The Data Processor should regularly review and update system configurations, including default settings, to address new threats, vulnerabilities, and technological advancements, ensuring ongoing security.

  • System Hardening: The Data Processor should use system hardening techniques like disabling unnecessary services, removing default accounts, and configuring access controls to reduce the attack surface and minimize the risk of unauthorized access or data breaches.

  • Patch Management Process: The Data Processor should have a process for regularly updating systems with security patches and software updates, ensuring that known vulnerabilities are quickly addressed and mitigated.

Measures for internal it and it security governance and management

Here are a couple of examples of measures for internal IT and IT security governance and management that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Comprehensive IT Security Policy: The Data Processor should create and update an IT security policy that outlines their commitment to protecting personal data and provides guidance on implementing security controls, procedures, and best practices.

  • Dedicated IT Security Team: The Data Processor should appoint a dedicated IT security team, led by a qualified professional, responsible for managing and improving security measures related to personal data processing.

  • Risk Management Process: The Data Processor should implement a process to identify, assess, and mitigate potential risks to personal data, ensuring appropriate controls are in place to minimize the likelihood and impact of security incidents.

  • Incident Response Plan: The Data Processor should develop and maintain a plan that outlines procedures for detecting, containing, and recovering from security incidents, as well as reporting breaches to the Data Controller and relevant authorities, as required.

  • Regular IT Security Training: The Data Processor should provide regular security training and awareness programs to all employees involved in personal data processing, ensuring they understand their responsibilities and are aware of security best practices and potential threats.

  • Periodic Security Assessments and Audits: The Data Processor should conduct regular security assessments and audits to review the effectiveness of implemented security measures and ensure ongoing compliance with internal policies and regulatory requirements.

Measures for certification or assurance of processes and products

Here are a couple of examples of measures for certification or assurance of processes and products that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Industry Certifications: The Data Processor should obtain and maintain relevant industry certifications, such as ISO 27001, SOC 2, or GDPR-specific certifications, to show that they comply with established security standards and best practices related to personal data processing.

  • Independent Audits and Assessments: The Data Processor should have qualified, independent third parties conduct regular audits and assessments to validate the effectiveness of security measures and ensure ongoing compliance with data protection requirements.

  • Continuous Improvement Process: The Data Processor should implement a process to monitor, evaluate, and update security measures, processes, and products to address emerging threats, vulnerabilities, and technological advancements, ensuring personal data remains protected.

  • Monitoring Third-Party Compliance: The Data Processor should assess and monitor the compliance of vendors, subcontractors, and other third parties involved in personal data processing, ensuring they maintain the same level of certification and assurance for their processes and products.

  • Maintain Documentation: The Data Processor should maintain documentation related to certifications, audit findings, and corrective actions, providing the Data Controller with evidence of compliance and assurance for its processes and products upon request.

Measures for ensuring data minimization

Here are a couple of examples of measures for ensuring data minimization that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Processing for Specific Purposes: The Data Processor must only process personal data for specific purposes defined by the Data Controller and not process data for any other purpose without explicit authorization.

  • Data Minimization: The Data Processor must follow data minimization principles by collecting and processing only the minimum amount of personal data necessary to fulfill the specific purpose, ensuring no excessive data is collected or retained.

  • Restrict Processing: The Data Processor must limit the processing of personal data to the minimum extent required to achieve the defined purpose, avoiding any unnecessary or excessive processing activities.

  • Data Retention Policy: The Data Processor must establish and follow a data retention policy that specifies how long personal data is stored and securely deletes data when it is no longer needed, ensuring data is not retained longer than necessary.

  • Periodic Review and Deletion: The Data Processor must periodically review the personal data it processes and securely delete any data that is no longer necessary or relevant to the purpose for which it was collected.

Measures for ensuring data quality

Here are a couple of examples of measures for ensuring data quality that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Data Accuracy: The Data Processor must implement measures to ensure personal data is accurate, up-to-date, and complete, regularly validating and updating data as needed to maintain its accuracy.

  • Validation and Integrity Checks: The Data Processor must employ data validation and integrity checks during data collection, processing, and storage to minimize the occurrence of errors, inconsistencies, or corruption in personal data.

  • Correction and Updating Procedures: The Data Processor must establish procedures for the prompt correction or updating of personal data upon request or when inaccuracies are identified, ensuring that data quality is maintained over time.

  • Standardized Procedures: The Data Processor must implement standardized data processing procedures to minimize the risk of human error or inconsistencies that could negatively impact data quality.

  • Quality Control and Monitoring: The Data Processor must implement ongoing quality control and monitoring processes to identify and address any data quality issues, regularly reviewing and adjusting these processes as needed to maintain high-quality personal data.

Measures for ensuring limited data retention

Here are a couple of examples of measures for ensuring limited data retention that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Data Retention Policy: The Data Processor must establish and follow a data retention policy that specifies the duration for which personal data is retained, considering legal, regulatory, and contractual requirements, as well as the purpose for which the data was collected.

  • Secure Data Deletion: The Data Processor must implement secure data deletion procedures to ensure that personal data is irretrievably deleted once it is no longer necessary for the specified purpose or when the retention period has expired.

  • Periodic Data Review: The Data Processor must periodically review the personal data it holds to identify and securely delete any data that is no longer necessary or has exceeded the defined retention period, ensuring that data is not retained longer than required.

  • Archiving and Destruction Procedures: The Data Processor must establish and follow procedures for archiving and securely destroying personal data when it is no longer needed, ensuring that archived data is protected from unauthorized access and that destruction methods render the data irrecoverable.

  • Employee Awareness: The Data Processor must ensure that all employees involved in personal data processing are aware of the data retention policy and its requirements, promoting adherence to limited data retention practices.

Measures for ensuring accountability

Here are a couple of examples of measures for ensuring accountability that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Appoint a Data Protection Officer: The Data Processor must appoint a qualified Data Protection Officer (DPO) who will oversee data protection activities, ensure compliance with data protection regulations, and serve as the point of contact for the Data Controller and relevant authorities.

  • Data Protection Policies and Procedures: The Data Processor must establish, maintain, and regularly update comprehensive data protection policies and procedures that outline the organization’s commitment to protecting personal data and provide guidance on implementing security controls, procedures, and best practices.

  • Record of Processing Activities: The Data Processor must maintain a detailed Record of Processing Activities (ROPA) that documents the processing of personal data, including the purpose, categories of data, data subjects, and any data transfers, ensuring that processing activities are transparent and accountable.

  • Compliance Monitoring: The Data Processor must regularly monitor and assess its compliance with data protection requirements, reporting any breaches or non-compliance to the Data Controller and relevant authorities, as required.

  • Data Protection Impact Assessments: The Data Processor must conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, identifying potential risks and implementing appropriate mitigating measures to ensure the protection of personal data.

  • Data Processing Agreements: The Data Processor must establish Data Processing Agreements (DPAs) with all subprocessors, ensuring that they maintain the same level of data protection and security as the Data Processor, and are accountable for their processing activities.

  • Data Protection Training: The Data Processor must provide regular data protection training and awareness programs to all employees involved in personal data processing, ensuring that they understand their responsibilities and are aware of data protection best practices and potential threats.

Measures for allowing data portability and ensuring erasure

Here are a couple of examples of measures for allowing data portability and ensuring erasure that may be included as part of the Data Processor’s obligations when handling Personal Data-

 

  • Data Portability Procedures: The Data Processor must establish and follow procedures to facilitate data portability, enabling data subjects to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit this data to another controller without hindrance.

  • Data Export Formats: The Data Processor must provide appropriate data export formats and mechanisms to ensure the seamless transfer of personal data between different systems and controllers, while maintaining the integrity, confidentiality, and security of the data.

  • Secure Data Erasure: The Data Processor must implement secure data erasure procedures to ensure that personal data is irretrievably deleted upon the data subject’s request or when it is no longer necessary for the specified purpose, in accordance with the data retention policy.

  • Prompt Response to Requests: The Data Processor must promptly respond to data subject requests for data portability or erasure, ensuring that these requests are fulfilled within the timeframes specified by applicable data protection regulations.

  • Documentation of Requests: The Data Processor must maintain documentation of all data subject requests for portability and erasure, including the actions taken and the date of completion, to demonstrate compliance with data protection requirements.

  • Employee Training: The Data Processor must provide regular training and awareness programs for employees involved in personal data processing, ensuring that they understand their responsibilities related to data portability and erasure and are aware of the relevant procedures and best practices.

Table of Contents