LAST FEW DAYS
Start 50 Plan: From R$69 to R$59/month and Plus 50 Plan: From R$119 to R$99/month.
Personal data processing agreement: what is it and how important is it?

Personal data processing agreement: what is it and how important is it?

Publicado em:
01
/
09
/
2023

The approval of the General Personal Data Protection Act (LGPD), which aims to protect individuals against abusive or harmful use of their personal data by third parties, completed five years in August 2023. To this end, the Law created a series of obligations for companies, organizations and public authorities that use personal information when carrying out their activities - the so-called “treatment agents”.

In this context, when activities involving personal data are carried out by more than one organization, establishing a personal data processing contract is essential to define what activities will be carried out by each treatment agent and the respective responsibilities that arise from them. The agreements, known as DPAs - Data Protection Agreements, are also a way of demonstrating the efforts of organizations to comply with applicable standards, in accordance with the principle of accountability.

By delimiting the scope of the treatment, indicating which data will be processed, for what purposes and with what security controls, the risks of abusive or illegal use of personal data and of security breaches are minimized. Therefore, signing DPAs is a way of Enforcement legal and guarantee of the rights of data subjects.

It is worth saying that contract clauses can also establish more objective criteria and parameters to distribute responsibilities among the parties involved, reducing business uncertainties and contingencies. In other words, a good treatment contract provides a way to measure compliance with the obligations imposed by the LGPD. DPAs are voluntary agreements like any other, and must be negotiated to arrive at a common point of composition, making legal transactions feasible. Therefore, it is a way to generate value and reduce risks for treatment agents.

This text aims to explain the steps for a positive negotiation of personal data processing contracts, including the main clauses that must be present in the agreement.

Frame 2-2

 

Definitions prior to the negotiation of the personal data processing agreement

Before negotiating an Agreement, it is important to understand some material aspects regarding the operational personal data processing activity that will take place between the parties. These aspects will influence the level of complexity of the clauses of the agreement and the legal arrangement established between the data processing agents.

Level of criticism of the treatment activity between the parties

First of all, it is necessary to determine the importance of the treatment to which the contract refers. The triggers that lead an organization to classify a treatment operation as critical or high-risk must be determined contextually. For example, a treatment activity may be considered critical when the following characteristics are present:

  • high volume of personal data processed between the Contracting Parties, in view of the context of the activities carried out;
  • processing of sensitive personal data in processing activities.

Whenever a processing activity between agents is considered critical, it is worth considering negotiating a contract with more robust clauses, to mitigate the risks of abusive or illegal use of personal data and security breaches. In cases considered non-critical or low-risk, the agreement between the parties may be simpler, reducing document negotiation time and gaining agility in signing.

Define the role of each one in the personal data processing process

Once the level of criticism of the treatment activities regulated by the agreement has been defined, it is important to understand the flow of personal data between the parties. This analysis will identify the obligations applicable to each of the parties and the appropriate legal arrangement for the business - that is, whether the relationship established between the parties is between controller and operator; operator and sub-operator; joint or independent controllers.

Although some obligations apply to all agents - such as keeping records of treatment operations or implementing security measures - the responsibilities of each one are different.

According to the Law, the controller is the agent responsible for “essential decisions” for the processing of personal data. O Guidance for the Definitions of Processing Agents of the National Authority for the Protection of Personal Data (ANPD) explains what would be these “essential decisions” that make an agent the controller of the treatment activity:

  • The nature of the personal data processed (social security number, biometrics, telephone number, etc.);
  • The forms and purposes of personal data processing activities (how the data is collected, stored, cross-referenced, etc.);
  • The duration of the treatment (i.e., when the treatment ends, in accordance with art. 15 and art. 16 of the LGPD).

In this sense, the controller has specific obligations, such as preparing an impact report on the protection of personal data, proving that the consent obtained from the holder is lawful (if the legal basis is consent), communicating to the ANPD in case of personal data incidents, and responding to the demands of data subjects. As a rule, the controller is the agent responsible for compensating and compensating for any damages caused to third parties or owners by the personal data processing activities.

The operator, in turn, carries out the processing of personal data on behalf of the controller and according to his instructions. The operator, therefore, must treat the data for the delimited purposes and in the forms defined by the controller. In this sense, the operator is considered jointly and severally liable with the controller for damages caused to third parties and owners due to treatment activities in two cases: (i) when it fails to comply with the LGPD or (ii) when it fails to comply with the controller's instructions.

Finally, the sub-operator is the agent hired by the operator to carry out data processing activities on behalf of the controller. As this figure was not defined by law - it appears only in the above-mentioned ANPD Guide - before data protection authorities, a sub-operator has the same role and responsibilities as the operator.

Several arrangements are possible between the parties to a treatment agreement. It is possible that the data controller is a third party and the treatment agreement is signed between operator and sub-operator. Or, even, that the two parties are joint controllers, if there are common or converging decisions on the essential elements of the treatment. Once this arrangement is defined and the type of contract (simpler or more complex) applicable to the case, it is possible to start negotiating the provisions of the contract.

What should be included in a personal data processing agreement

Data Protection contracts must establish objective parameters of the responsibilities of each of the parties - that is, the specificities that are not covered by the generic text of the Law. In this way, the uncertainties and risks of treatment activities are reduced and mitigated. In this sense, it is important that the document also includes the following aspects:

Term

Determine how long the obligations established in the contract last, considering the way in which the treatment activities are carried out over time. It is interesting that the term of the contract is equivalent to the period of storage of the data of the receiving party (s).

Obligations of the parties

It is important to establish the obligations of each party to the arrangement, since many obligations may not be provided for by law, such as specific guidelines in a privacy policy, specific requirements of the ISO standard, or even obligations established by foreign legislation, if applicable.

Collaborators

The occurrence of incidents is generally related to human action. Therefore, it is interesting that there is provision for training and awareness of professionals who act on behalf of treatment agents in good privacy and data protection practices in the agreement between the parties.

Treatment agents

This clause must reflect the arrangement established in the previous step. If one of the parties is a controller and the other is an operator, it may be interesting to provide that the latter must follow the legal instructions of the former for processing activities, reinforcing the legal text.

Duty to cooperate

The law does not impose a duty of cooperation between the Parties. Thus, it is important to define in which cases they should collaborate. Some examples are cooperating to:

  • respond, within the legal deadline, to requests from personal data subjects;
  • provide information and facilitate investigations into personal data incidents, such as data leaks or abusive data processing, including limiting the disclosure of information about possible data incidents only to what is required by law and its regulations;
  • who must comply with requests made by judicial or administrative authorities, such as the ANPD and the deadlines for this response;
  • gather evidence of adjustments to Frameworks applicable for possible audits. Being a critical or high-risk treatment, it is possible to award compensation and/or the termination of contracts between the parties without prejudice to the injured party, if the other party's cooperation is not established.

Personal data processed

Considering that one of the essential elements of treatment activities is the definition of the types of data processed, including the category of holders, it is important to assign responsibility for the legitimacy of this choice to the controller, also limiting the choices of the operator or sub-operator involved in the activity.

In some cases, when there is greater risk, it may be interesting to define in a contract the specific types of personal data processed to link both parties to that set. So that the relationship is not plastered and dependent on the signing of additives to add or remove data from this list, it is possible to agree that these changes may be made via email by the Data Processors or by the Legal teams of the Parties.

Purpose and legal basis

This clause follows the same logic as the previous clause. The controller is responsible for this definition, limiting the activities of operators and sub-operators. The purposes and legal basis may be described in the contract, if the parties understand that this makes sense.

Sharing

The parties must define whether or not they can share personal data with other third parties. For example, a controller may want to prevent its operator from sharing personal data to which it has access because of the agreement with sub-operators.

However, it must be taken into account that, currently, many treatment agents participate in the service supply chain, especially when they are digital. Therefore, this impediment may limit, on the other hand, the services that the operator offers to the controller.

Another limitation that can be made in this clause is in relation to the purpose of the sharing. In this case, the controller could accept the sharing, provided that the purpose is to comply with the Agreement itself or other commercial agreements between the parties.

Since sharing is authorized, it is important to provide that Agreements must be signed with third parties, reflecting the obligations of the original Agreement. Finally, in a contract between operator and controller, it is possible to provide that, if sub-operators cause data incidents, the operator must compensate the controller.

International transfer of personal data

This clause follows the same logic as the previous sharing clause. However, if authorized by the controller, the transfer must be based on one of the instruments of art. 33 of the LGPD. As long as there is no ANPD regulation on the subject, specifying which countries have an adequate degree of protection, or a model of standard clauses, or even which seals and certificates are valid, the controller will have to resort to one of the other hypotheses.

In any case, this clause may reinforce that the assignment of the appropriate instrument for the transfer is the responsibility of the controller, exempting the operator and/or sub-operator involved.

Exclusion

According to art. 15 of the LGPD, when one of the hypotheses of termination of treatment occurs, it is necessary to delete the data. The termination of the treatment may occur, for example, due to the achievement of the intended purpose or the revocation of consent, if this is the applicable legal basis. The definition of termination is also one of the essential elements of the treatment activity.

Therefore, it is the controller's responsibility to assess when, in the relationship referred to in the Agreement, the treatment ends and if there is any purpose that authorizes, on the other hand, the conservation of the data (art. 16 of the LGPD). It is interesting that this parameter is defined in a contract to reduce the risks associated with the indefinite storage of personal data.

security

The law states that all processing agents must implement security measures to protect personal data. If there are sensitive personal data, it can be negotiated in the contract that there will be specific measures for your protection. It is worth verifying that it is not Framework Defined are there any specific security requirements, which can be added to this clause, such as some process of Privacy by Design or specific ISO controls.

Security Incidents

Regardless of the legal arrangement between the parties, it is very important to define that there is communication in a reasonable time about incidents with the data. The ANPD has no regulations specifying the communication period from operator to controller, so it is possible to leave the clause flexible so that, when there is such a definition, the Agreement is already adequate. If the Agreement deals with high-risk transactions, it is possible to negotiate a specific deadline.

The content of this communication may be equivalent to the requirements of art. 48 of the LGPD. In addition to the deadline and content, this clause may include other details, such as the delivery of a correction plan by the party that caused the incident and evidence that proves the subsequent adjustment; possible compensation to the innocent party and the possibility of termination of the contract without a fine.

Audit

For high-risk cases, auditing clauses may be negotiated, ensuring, at a minimum, that the opposing party will present sufficient evidence of compliance with its legal obligation.

Rights of the owner

Meeting the requests of the owners is the controller's role. However, sometimes, operators receive this demand directly from the owner. For these cases, a deadline for notifying the controller may be provided in this clause, in line with the obligation of cooperation between the parties.

Responsibility

The responsibility of the parties is directly related to the legal arrangement of the data processing agents. For example, if the contract is between controller and operator, art. 42 of the LGPD provides for joint and several liability in some cases between the parties, but the contract may explain the limits of this liability. This clause may also provide when there will be a right to denounce the dispute or to return one party against the other.

A contractual fine may also be included for non-compliance with the clauses. The liability clause may also cover cases where one of the parties will not be responsible for data protection - for example, when there is a court decision requiring sharing.

Streamline contract negotiations

For agreements to be effective, as a representation of the composition of the parties' will, it is important, first of all, to understand the processing agents involved and the flow of personal data, thinking about the operation as a whole — from collection to deletion of the data, to all the agents with whom that information may be shared.

If the objective is to develop a standard contract model, which will be negotiated with several different people or companies, it is interesting to understand beforehand which are the non-negotiable clauses, which can be negotiated and, to what extent it is possible to assign and which clauses can be removed, without risk to the organization. Understanding this generates greater agility at the time of negotiation, bringing efficiency to the legal analysis process.

The use of an electronic signature, such as Clicksign, may be the key to further optimizing the process of signing agreements and contracts and positively impacting the efficiency and convenience of your negotiation and document management processes.

Get to know our features and plans or Take a free test!

Artigos relacionados

Juliana Costa
9/27/24

Technology in health: what it is, its importance and trends

Juliana Costa
9/27/24

Economic sustainability: what it is, importance and challenges

9/27/24

What is cryptography and how to ensure the confidentiality of your information

Ver mais