Outsourcing agreements and data protection clauses – the customers!
We covered issues connected to liability clauses, termination clauses, SLAs and penalty/liquidated damages clauses, forum selection and applicable law clauses, intellectual property clauses in outsourcing agreements, but I thought that we had to review data protection / privacy clauses which are vital for outsourcing agreements involving the flow of data between different entities located worldwide that trigger major data protections issues .
European Union data protection laws are very restrictive and might cause a major issue in case of outsourcing agreements where the service supplier or in general terms the entities involved in the offering of the service are located outside the European Union such as in India or in the United States.
However, there are some regulatory tools aimed at allowing the transfer of personal data between the entities involved in the provision of the service. In this respect, the most common approach to be followed is to implement the so called “Standard contractual clauses for the transfer of personal data to processors established in third countries“. The execution of such type of contract as part of outsourcing agreements places on the service supplier some obligations based on European Union data protection laws which according to the European Commission are sufficient to enable an adequate level of protection of personal data making the flow of data to the service supplier compliant with EU laws.
But standard contractual clauses do not sort (or do not easily sort) the issue of outsourcing agreements requiring the flow of personal data within different entities of a groups that have some subsidiaries located outside the European Union. Such type of agreements require the implementation of the so called binding corporate rules that have been extensively reviewed in this post.
Finally, privacy clauses are relevant in outsourcing agreements also because it shall be very carefully regulated the hand-over of the data to the new service supplier on the termination of the agreement. This makes crucial to regulate the ownership of the data and the proceeding to to be followed on the termination of the agreement.
As usually, it is would be interesting to know your view on the above. For this purpose, feel free to contact me, Giulio Coraggio, also follow me on my Facebook page, Google+ or Twitter and become one of my friends on LinkedIn.
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.