Contracts In Data Protection Matters


4. November 2020

By Manuel Lobato. Patents Lawyer.

In view of the worldwide aspect that Protection of Personal Data has acquired, and its category of Human Right in many laws around the world, it is necessary to have an adequate protection framework, which is not only limited to the laws that regulate its treatment and safeguarding, but also must extend to the relationships that are managed between the data controllers, data processors, third companies and the owners of said data.

From the incursion of personal data in all possible areas of interaction, the Law is not foreign at all, much less in the contractual field, as one more link in the chain of measures aimed at providing all current or current information accumulation, potentially related to a specific or determinable natural person. Therefore, it is unavoidable to make a list of the contracts that are used in this type of situation both in the field of cyberspace and in the relationships that are developed between the owner of the data with the person in charge of treatment, and of the latter with the data processor.

Privacy Policy

It could be taken into consideration that the privacy policies that abound in the websites have a contractual legal nature, with a predisposed content and the possibility for the user to select the browsing preferences to determine what data is available to share or allow them to be collected and which ones not.

The privacy policy of a website must comply with the principles established in the data protection laws of the respective countries where the users are located, advocating for transparency, correct and complete information to the owner of the treatment data what is done with them, and the kind of information that the site takes, all this, written in a clear and understandable language for the website visitor.

What information should be included in the privacy policy?

  • What information will be collected (names, emails, phone numbers, etc.).
  • How the information will be used (for statistics, to improve the shopping or browsing experience, promotions, Email Marketing, etc.).
  • What will be done with the collected data.
  • The possibility of modifying the policy in the future.
  • Contract form (for modifications, updates, or cancellations).
  • Cookies policy.
  • It offers relevant information about the way in which the data is protected.

Terms and conditions

It is an unnamed, on-line, electronic contract for adhesion to pre-arranged clauses.

Terms and conditions are established between the user of a certain website and the owner of said site and is mainly intended to inform the user of issues related to the content of the page and the services offered through it, as well as information appropriate to the user about what is done with the collection and processing of their personal data, and the type of data that is transferred to the person in charge through the site.

Also, within the terms and conditions are established the duties and responsibilities of the user and the correct use of the site, intellectual property issues, legal framework, among others.

Privacy policies can be found separately from the terms and conditions, or in a single identified body.

Data outsourcing

The outsourcing contract, in general terms, is mainly intended to delegate to a company, or a specialized natural person, a portion of the business process that is the responsibility of another company, which the latter considers that it is more suited to carry out that portion of the process involved. It is the outsourcing of activities.

With regard to the field of data in general and personal data in particular, a company that develops an activity in the process of which requires or feeds on said data hires another for the management and processing of personal data. The owner of the database is the data controller and the data processor is the third party that provides the outsourcing service.

Points to consider in the data outsourcing contract

  • The data controller should include in the contract a clause by which it obliges the data processor, to fulfill and respect the purpose for which the database or registry was created, not being able to carry out acts tending to undermine said purpose, taking reservation of the data obtained and applying a treatment that serves said purposes.
  • As the data processor is acting on behalf and order of the owner of the database, it is necessary that he respects the instructions given by the latter, having to abide by them and the framework of the contract and its purpose and also the contract and –if applicable- criminal law that govern the matter. Especially for the responsibility that entails the person responsible for the data, the election of the person in charge of personal data processing, and the development of the work of this one in front of third parties.
  • The person in charge of the processing of personal data has to abstain from transferring the data that is subject to treatment to third parties. Data Processor does not have the authorization to obtain from the owner the consent to carry out the assignment -as he is not the owner or person in charge of the database.
  • Once the objective or the purpose for which the data were collected and processed has been fulfilled, Data Processor must return all that information to the Data Controller, not being able to store or keep the data in their possession, unless there are subsequent situations expressly established, which determine the maintenance of these data in the possession of the data processor.
  • There must be a duty of confidentiality on the part of the person in charge of the treatment, which consists primarily of not disclosing or using for purposes contrary to the contract, the law, public order or the rights of the owners and third parties, the personal data whose treatment was entrusted. Even this duty must be maintained after the ending of the contractual relationship between both parties.
  • Both Data Processor and Controller have a security duty regarding not only the treatment of the data in general but also regarding the fact that databases where these data are stored, comply with, or have a level of security appropriate to the protection of the information stored there.

Transfer of data

The transfer of personal data is a contract that is established between Data Controller and third parties or companies. It inevitably requires the consent of the owner of the personal data and the cause of the transfer must be explained, which must be related to the legitimate and legal activity carried out by the person responsible for the database, file, registry, or archive or be related to the activity of the assignee.

The object of the data transfer contract must be circumscribed to those data contained in the databases, registers, files, and which are those collected by the person responsible for the treatment.

At Moeller IP Advisors we have a specialized worldwide work team with the ability to advise on drafting contracts and certain clauses that involve personal data, both in corporate and digital environments. Contact us!

Share