Building data privacy and data security clauses

How to build a data protection clause

In this article, we have a look at some of the important aspects that must be kept in mind when drafting data privacy and data protection provisions.

Most disputed terms WCC ranking: 

Data privacy: 28

Data security: 26

Most important terms WCC ranking: 

Data privacy: 8

Data security: 7

Most negotiated terms WCC ranking: 

Data privacy: 17

Data security: 19

What is a Data Privacy clause?

Data Privacy clauses will generally deal with the way in which data (usually Personal Information) must be handled.

What is a Data Security clause?

Data Security clauses usually provide what the Provider must do to protect the Protected Data against unauthorised third-party access and malicious attacks.

What is a Data Protection clause then?

Data protection clauses are in a way a combination of data privacy and data protection clauses.

Building blocks of Data Privacy and Data Security clauses

building blocks of data privacy and data security provisions

What is Protected Data?

Defining Protected Data is important to ensuring balanced and fair data privacy and security provisions.

Generally, Protected Data will be personal information as defined by applicable data privacy and security laws. The aforementioned, however, does not mean that the definition of Protected Data should be limited to Personal Information. The Customer may want a much broader definition of Protected Data that includes all the data that the Customer provides to the Provider. For example:

Protected Data means all information processed or stored through the System by Customer or on Customer’s behalf, and includes, without limitation, information provided by Customer’s customers, employees, and other users and by other third parties, other information generated through use of the System by or on Customer’s behalf, and copies of all such information rendered onto paper or other non-electronic media.

If you are the Provider, you want to use a narrow definition and may even consider carving out certain types of data from the definition. For example:

Excluded Data means personal tax numbers, financial account data, and credit card and other payment card numbers;

Protected Data means personal information as contemplated under applicable data privacy and security laws, but specifically excludes Excluded Data;

If you are the Provider, you don’t want a situation where there is a Data Incident and, for example, credit card data is exposed and there was no need for you in the first place to process any such credit card data. 

If you follow the approach where certain data is excluded, make sure that a warranty is included in the Data Protection Schedule where the Customer warrants that they will not provide any Excluded Data to the Provider.

It may be that you want Protected Data to be regarded as Confidential Information. If you decide to go this route make sure that you address the situation where there is a conflict between the Data Protection Schedule and the confidentiality provisions.

Handling of Protected Data - Authorised Persons

A narrow definition of Authorised Persons may favour the Customer. On the other hand, the Provider would want to make sure the definition of Authorised Persons is wide enough to include sub-contractors so that there is no need to obtain written approvals for each sub-contractor.

Authorised Persons should, however, be limited to people who need to handle the data to fulfil the Provider’s obligations under the Agreement.

Handling of Protected Data - Aggregated and anonymised data

A Provider may want to use the Protected Data for its own purposes. Generally, if the Provider wants to use the Protected Data, it needs to be anonymised first. If you are the Customer, you would want to make sure that if the Protected Data is anonymised, such a process must and cannot be reversed.

Handling of Protected Data - Personal Information requests

Privacy legislation generally provides certain rights to data subjects when it comes to their Personal Information. For example, the “right to know,” delete, or the “right to be forgotten”. As a Customer, you may want to impose certain obligations on the Provider if a personal information request is directed at the Provider.

Access, location and deletion of Protected Data

If you are the Customer, you want to control the access, location and deletion of Protected Data.

Data privacy laws may determine certain requirements if Protected Data is moved cross-border. As a Customer, you do not want to be exposed to a situation where Protected Data is moved cross-border to a jurisdiction with less stringent data privacy and data security laws than those applicable within the current jurisdiction.

As a Customer, you can also consider specifying certain data centres within the current jurisdiction where data can be stored.

As Provider, the commercials of the transaction must be kept in mind when considering access, location and deletion of Protected Data. It may be useful to reserve a right to charge fees and costs for time spent assisting the Customer with providing access, deleting and moving Protected Data.  

Data security audits & certifications

Generally, the two standards that will be considered will be ISO 27001 and SOC 2.

A difference between ISO 27001 and SOC 2 is that SOC 2 is not a certification. If you pass the ISO 27001 requirements, then your business is ISO 27001 certified. However, in the case of SOC 2, the auditor issues a formal report, confirming whether or not you met the relevant criteria. 

ISO 27001 is a common European procurement requirement and is internationally recognized as the highest standard in information security. In the US market, many Customers will want the reassurance that the Provider is SOC 2 compliant.

Minimum safeguards

If you acting for the Customer, especially in the situation where the Provider is not required to produce an ISO 27001 certificate or an SOC2 report, you want to place certain contractual obligations on the Provider regarding data security.

Or, if there is a requirement that the Provider produces a ISO 27001 certificate or an SOC2 report, there are situations where the Customer may require further measures to be put in place that goes beyond what is required under ISO 27001/ SOC2.

Data incidents & deletion of data

Data Incidents

When considering provisions relating to Data Incidents, the definition of a Data Incident is a good point of departure.

Generally, Data Incidents include the unauthorised disclosure of, access to, or use of Protected Data

As Provider, you may want to consider narrowing the above broad and general definition to more specific scenarios where, for example, an unauthorised third-party obtains and threatens the distributions of Protected Data.

The obligations placed on the Provider relating to Data Incidents require detailed consideration. Examples of these obligations include:

  • Notifying the Customer
  • Cooperation with law enforcement
  • Assistance with notifying third parties whose data may have been exposed

 

Most of these obligations are generally aimed at damage control. However, a Customer may want to add obligations that require compensation, in some form, as a result of the Data Incident. 

As a Customer, you want to be in control of whatever happens after the occurrence of a Data Incident. As Provider, you do not want to be subjected to obligations that will be detrimental to your business financially.

 

Deletion of data

As a Customer, you want to have certain rights regarding the deletion of Protected Data.

Making sure that erasure leaves no data readable, decipherable, or recoverable may be expensive. Therefore, as Provider, you may want to consider adding provisions that the data deletion will be done using commercially feasible methods.

Data protection indemnity

The remedies and relief for breach of the Data Protection Schedule or the Data Protection Laws are usually addressed by an indemnity (see How to build an indemnity clause).

Breach & equitable relief

A Customer may also want to include a provision stipulating that a breach of the Data Protection Schedule will be deemed material with the hope that this will help them terminate the Agreement for cause if there is a breach.

Example schedule

Customer friendly

SCHEDULE – DATA PROTECTION

 

1.1.       Handling of Protected Data: 

(a)          Standard of care:  The Provider must keep and maintain all Protected Data in strict confidence, using such degree of care as is appropriate to avoid unauthorised access, use or disclosure.

(b)          Usage of Protected Data:  The Provider must use and disclose Protected Data solely and exclusively for the purposes for which the Protected Data, or access to it, is provided pursuant to the terms and conditions of the Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Protected Data for the Customer’s own purposes or for the benefit of anyone other than the Customer, in each case, without Customer’s prior written consent.

(c)          Disclosure:  The Provider must not, directly or indirectly, disclose Protected Data to any person other than Authorised Persons, without express written consent from the Customer, unless and to the extent required by government authorities or as otherwise, to the extent expressly required, by applicable law, in which case, the Provider must use reasonable efforts to notify the Customer before such disclosure or as soon thereafter as reasonably possible.

(d)          Responsibility for Authorised Persons:  The Provider is responsible for and remain liable to the Customer for the actions and omissions of such Authorised Persons concerning the treatment of such Protected Data as if they were the Provider’s own actions and omissions.

(e)          Written undertaking required from Authorised Persons:  The Provider must require the Authorised Persons that has access to Protected Data to execute a written undertaking to comply with this Schedule.

1.2.       Confidential information:  All Protected Data provided by the Customer to the Provider or to which the Provider may be exposed or acquire in terms of this Agreement, constitutes Confidential Information.

1.3.       Conflicts:  If there is a conflict or inconsistency between this Schedule and the confidentiality within the main body of the Agreement, the terms in this Schedule governs and controls.

1.4.       Cross border transfer:  The Provider must not transfer Protected Data (or allow Authorised Persons to transfer Protected Data) outside Republic of South Africa unless it receives the Customer’s prior written consent.

1.5.       Additional charges:  The Provider may charge additional fees at their standard rates for activities required by the Customer to assist them to comply with Data Protection Laws.

1.6.       Access rights:  The Customer may access and copy any Protected Data in the Provider’s possession or control at any time and the Provider:

(a)          must provide reasonable assistance to the Customer to access and copy the Protected Data.

(b)          may charge their reasonable then-standard fees for any assistance provided under 1.6.

1.7.       Protected data requests:  If the Provider receives a consumer “right to know,” deletion, “right to be forgotten,” or similar request related to Protected Data within Protected Data (the “Consumer Requests”), the Provider must not reply without the Customers written authorisation and shall, at the Customer’s expense, comply with the Customer’s reasonable written instructions for Consumer Requests (if any), subject to Data Protection Laws.

1.8.       Audits and certifications: 

(a)          The Provider must maintain annually updated reports and certifications (as may be applicable) of compliance with the following:

(i)           ISO 27001;

(ii)          SOC 2 Type II; and

(iii)         PCI Level 2.

(b)          The Provider must:

(i)           provide the Customer a copy of the most current certifications and reports (as may be applicable) within 30 days of request and thereafter annually within 30 days of completion of thereof; and

(ii)          if there are any deficiencies identified or changes suggested relating to the provisions of the Services under the Agreement, the Provider must exercise reasonable efforts to promptly address such deficiencies and changes.

(c)          Notwithstanding anything in this Schedule, the Provider is not required to permit any audit that may compromise the security of the Provider’ other customers’ data.

(d)          Any report provided under this Schedule must be regarded as confidential information.

1.9.       Inspections: 

(a)          If requested by the Customer, the Provider must permit inspection and security review by the Customer of systems processing Protected Data and on the Provider’s policies and procedures relating to data security.

(b)          The Customer may request an inspection contemplated in 1.9, every half-yearly starting from the date that this Agreement becomes effective.

(c)          Notwithstanding anything in this Schedule, the Provider is not required to permit any inspection that may compromise the security of the Provider’ other customers’ data.

1.10.    Data Incidents:  If there is a Data Incident, or if Provider suspects a Data Incident, the Provider must:

(a)          promptly, and in any case within 24 hours, give notification by telephone, in person, or by other real-time, in-person communication;

(b)          cooperate with law enforcement agencies, where applicable, to investigate and resolve the Data Incident;

(c)          provide reasonable assistance in notifying applicable third parties;

(d)          comply with applicable laws governing data breach notification and response;

(e)          if the Data Incident results from their breach of this Agreement or negligent or unauthorised act or omission of an Authorised Person, compensate the other Party for any reasonable expense related to notification of consumers;

(f)           give the other Party prompt access to such records related to a Data Incident as may reasonably be requested (such records will be regarded as confidential information and there will be no obligation to provide access to records that might compromise the security of the other customers); and

(g)          provide the name and contact information for an employee who shall serve as primary security contact and must be available to assist 24 hours per day,  7 days per week as a contact in resolving obligations associated with a Data Incident.

1.11.    Third-parties and Data Incidents: 

(a)          The Provider must not inform any third party of any Data Incident without first obtaining the Customer’s prior written consent, other than to inform a complainant that the matter has been forwarded to the Customer’s legal counsel. The Customer has the sole right to determine:

(i)           whether notice of the Data Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in the Customer’s discretion; and

(ii)          the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.

(b)          The Provider must reasonably cooperate at its own expense with the Customer in any litigation or other formal action deemed reasonably necessary by the Customer to protect their rights relating to the use, disclosure, protection and maintenance of Protected Data.

(c)          If there is a Data Incident, the Provider must use their reasonable efforts to prevent a recurrence of any such Data Incident.

(d)          Nothing in this Schedule limits other rights or remedies of the Customer, if any, resulting from a Data Incident.

1.12.    Deletion of Protected Date:  Except as required by Data Protection Laws or authorised pursuant to a data deletion policy accepted in writing by each party, the Provider must not erase Protected Data or any copy thereof without the Customer’s prior written consent. The Provider must:

(a)          on request promptly erase all Protected Data from all systems under Provider’s control and direct and ensure erasure by any and all of its subcontractors that have access to Protected Data;

(b)          within 30 days of termination of this Agreement, erase all Protected Data in Provider’s possession or control, including without limitation in the possession or control of its subcontractors;

(c)          after erasure leave no data readable, decipherable, or recoverable on its computers or other media or those of its subcontractors, using the best erasure methods commercially feasible; and

(d)          promptly after any erasure of Protected Data or any part of it, certify such erasure.

1.13.    Minimum safeguards:  In addition to any other safeguards contemplated in this Schedule, the Provider must ensure at minimum that that:

(a)          their Personnel each have a unique user ID assigned to them, subject to strict confidentiality undertakings in terms of a password and confidentiality policy;

(b)          there are passwords required for any access to Data in line with its password policy;

(c)          its operating systems are secure and that the security settings in respect thereof are aligned with good industry practice;

(d)          its administrator accounts (and records of usage in relation thereto) are stored securely and can be accessed in the event of any service restoration or fault determination;

(e)          access to Data be limited to Personnel on a “need to know” basis, which Personal shall strictly utilise their unique user ID and applicable passwords to access same (the access to such Data shall be subject to a two-step authorisation/authentication process);

(f)           all Data is backed-up regularly, and to ensure that back up testing is conducted regularly in order to ensure that Data can be recovered in the event that such Data is lost, damaged or destroyed;

(g)          its environment has comprehensive malware protection software employed, which software is specifically designed to protect against the most recent malware infections;

(h)          frequent vulnerability scanning is conducted in order to assess whether any computers, networks or applications have any vulnerabilities to cyber-attacks; and

(i)           all designated networks, employ intrusion detection systems and intrusion prevention systems, and record any security incidents.

1.14.    IT network infrastructure diagram:  Upon the Customer’s written request, the Customer must provide the Customer with a network diagram that outlines the Provider’s information technology network infrastructure and all equipment used in relation to fulfilling of its obligations under the Agreement, including:

(a)          connectivity to the Customer’s and all third parties who may access the Provider’s network to the extent the network contains Protected Data;

(b)          all network connections including remote access services and wireless connectivity;

(c)          all access control devices (for example, firewall, packet filters, intrusion detection and access-list routers);

(d)          all back-up or redundant servers; and

(e)          permitted access through each network connection.

1.15.    Material breach:  Any breach of the obligations under this Schedule, is deemed a material breach of the Agreement.

1.16.    Equitable relief: 

(a)          The Provider acknowledges that:

(i)           no adequate remedy exists at law if it fails to perform or breaches any of its obligations under this Schedule;

(ii)          it would be difficult to determine the damages resulting from a breach of this Schedule, and such breach would cause irreparable harm to the Customer; and

(iii)         a grant of injunctive relief provides the best remedy for any such breach, without any requirement that the Customer prove actual damage or post a bond or other security.

(b)          To the extent permitted under Data Protection Laws, the Provider waives any opposition to such injunctive relief contemplated in Section 1.16 or any right to such proof, bond, or other security.

(c)          The Provider’s obligations in this Schedule apply likewise to the Provider’s successors, including without limitation to any trustee in bankruptcy.

 

Provider friendly

SCHEDULE – DATA PROTECTION

 

1.1.       Handling of Protected Data: 

(a)          Standard of care:  The Provider must keep and maintain all Protected Data in strict confidence, using such degree of care as is appropriate to avoid unauthorised access, use or disclosure.

(b)          Usage of Protected Data:  The Provider must use and disclose Protected Data solely and exclusively for the purposes for which the Protected Data, or access to it, is provided pursuant to the terms and conditions of the Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Protected Data for the Customer’s own purposes or for the benefit of anyone other than the Customer, in each case, without Customer’s prior written consent.

(c)          Disclosure:  The Provider must not, directly or indirectly, disclose Protected Data to any person other than Authorised Persons, without express written consent from the Customer, unless and to the extent required by government authorities or as otherwise, to the extent expressly required, by applicable law, in which case, the Provider must use reasonable efforts to notify the Customer before such disclosure or as soon thereafter as reasonably possible.

(d)          Responsibility for Authorised Persons:  The Provider is responsible for and remain liable to the Customer for the actions and omissions of such Authorised Persons concerning the treatment of such Protected Data as if they were the Provider’s own actions and omissions.

(e)          Written undertaking required from Authorised Persons:  The Provider must require the Authorised Persons that has access to Protected Data to execute a written undertaking to comply with this Schedule.

1.2.       Additional charges:  The Provider may charge additional fees at their standard rates for activities required by the Customer to assist them to comply with Data Protection Laws.

1.3.       Aggregated and anonymized data:  The Customer hereby authorises the Provider to:

(a)          Anonymize Customer Data and to combine it with data from other customers into a new aggregate dataset; and

(b)          use such Anonymized Customer Data as a component of such new aggregate dataset for any legal business purpose, including without limitation for distribution to third-parties.

1.4.       Minimum safeguards:  In addition to any other safeguards contemplated in this Schedule, the Provider must ensure at minimum that that:

(a)          their Personnel each have a unique user ID assigned to them, subject to strict confidentiality undertakings in terms of a password and confidentiality policy;

(b)          there are passwords required for any access to Data in line with its password policy;

(c)          its operating systems are secure and that the security settings in respect thereof are aligned with good industry practice;

(d)          its administrator accounts (and records of usage in relation thereto) are stored securely and can be accessed in the event of any service restoration or fault determination;

(e)          access to Data be limited to Personnel on a “need to know” basis, which Personal shall strictly utilise their unique user ID and applicable passwords to access same (the access to such Data shall be subject to a two-step authorisation/authentication process);

(f)           all Data is backed-up regularly, and to ensure that back up testing is conducted regularly in order to ensure that Data can be recovered in the event that such Data is lost, damaged or destroyed;

(g)          its environment has comprehensive malware protection software employed, which software is specifically designed to protect against the most recent malware infections;

(h)          frequent vulnerability scanning is conducted in order to assess whether any computers, networks or applications have any vulnerabilities to cyber-attacks; and

(i)           all designated networks, employ intrusion detection systems and intrusion prevention systems, and record any security incidents.

Table of Contents

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.