Although the EU’s General Data Protection Regulation (GDPR) has been in force for more than six months, many organizations are still getting to grips with some of the practical requirements, including ensuring that their contracts comply with Article 28, which mandates a number of key clauses if personal data is being processed under the service agreement.
With potentially hundreds of in-scope contracts, customers and suppliers alike have developed standard-form data processing addendums (DPAs) or similar contract documents in order to address these Article 28 requirements. DPAs are fast becoming the preferred approach for both new agreements and existing contracts.
In this series, we will be taking a look at some of the important features, and pitfalls, of using standard-form DPAs to address Article 28 compliance.
Beware the Order of Precedence Clause
An almost universal feature of standard-form DPAs is the “order of precedence” clause. This takes a number of forms, but in general it states that in the case of a conflict between the contents of the DPA and the remainder of the contract, the DPA prevails.
Sounds sensible given this is a regulatory requirement, right? Not necessarily—this approach can undermine, in one fell swoop, what are often highly negotiated and considered provisions in the remainder of the agreement. Article 28 clauses cover important topics such as information security, subcontracting, service locations, and audit rights, and DPAs are often drafted to reflect the minimum obligations mandated by the GDPR.
Let’s consider the example of a subprocessor appointment:
- Many organizations (particularly those in heavily regulated sectors) want to retain control over their supply chains, especially where a supplier will have access to or generate customer and other personal information.
- With the continued march of cloud-based, commoditized services, those discussions have become increasingly complex. Indeed, many providers are highly reluctant to agree to a veto right on the use of subcontractors due to their “one to many” business model. The GDPR acknowledges this situation and provides for a minimum approach to the appointment of subprocessors that permits blanket authorizations to appoint subprocessors, provided that processors give notice of changes and additions along with a right for the controller to “object.”
- It’s no surprise that a significant proportion of providers (in particular providers of cloud-based subscription services) have followed the minimum GDPR approach in their DPAs. Note, though, that many have also included explicit termination rights where a customer objects to a new subprocessor.
- The inclusion of objection processes and termination rights all sounds reasonable, until one revisits the underlying agreement only to find rights of preapproval for subcontracting; those hard-fought positions are swiftly decimated by a combination of the precedence clause explored above and a cookie-cutter approach to preparing the DPA form.
So What Can You Do to Resolve This Situation?
Potential solutions include the following:
- The most important (and obvious) precaution is to read the underlying contract. What does the agreement already say about security, subcontracting, audits, and other relevant items? Are important restrictions and obligations in the wider agreement being inadvertently amended by the DPA?
- Ensure that provisions dealing with similar subject matter dovetail. For example, if there are specific security obligations agreed elsewhere in the agreement in relation to data processing, these should be referenced in the DPA, even if these are called out as “additional” to the standard GDPR security wording.
- Take a more nuanced approach to the order of precedence clause. For example, the DPA might generally take precedence, but certain provisions in the agreement could be stated to take priority. These exceptions could be general (e.g., provisions that are more protective of the customer’s information) or specific (e.g., the section that governs subcontracting).
The DPA is not merely a boilerplate attachment or a rubber stamp to be “GDPR compliant.” Make sure the precedence clause, and all other key issues, are in order.
Check back for Part 2 of this series, where we will look at commercial approaches to DPA clauses and to additional GDPR compliance obligations, generally.