Cloud computing, outsourcing, hosting, storage, disaster recovery services, and numerous other services agreements allow service providers to have access to a large amount of personal data. Each of these transactions raises a wide variety of issues associated with the protection of personal data, from privacy to security, e-discovery to cross-border transfers, breach of security to identity theft. Each commercial relationship has its own idiosyncratic requirements, and there is no simple one-size-fits-all answer.
Numerous Federal and State laws – and, as applicable, foreign laws – regulate or restrict the use of subcontractors and service providers, or set specific rules that must be followed in preparation for, and during the performance of these contracts.
The structuring and performance of these commercial contracts require important activities at each stage of the relationship in order to ensure compliances with applicable laws, regulations, jurisprudence, guidelines and industry practices with respect to the collection, processing, sharing or disposal of personal data.
As privacy and security counsel, our role in these transactions is to:
- Guide our clients through the maze of the data privacy and security legal requirements and restrictions that may affect the proposed transaction;
- Address the data privacy and security issues in RFPs or RFIs; review third party questionnaires; prepare responses;
- Perform the appropriate legal data privacy and security due diligence in preparation for the transaction;
- Clarify for the client the provisions or disclosures with respect to data privacy and security that are made in form agreements used by their counterparts;
- Assist the client through the lengthy and complex process of the negotiations of the data privacy and security provisions in the related agreements;
- Structure and negotiate a comprehensive contract that addresses the numerous data privacy and security issues raised by the processing of personal data;
- Guide the client through the monitoring obligations, in order to ensure the proper performance of the data privacy and security obligations of the service provider under the executed contracts and the continued protection of the personal data throughout the life of the contract;
- Ensure, during the life of the contract, that the necessary supervision, monitoring, and auditing of the performance of the vendor’s data privacy and security obligations is periodically conducted; and
- Ensure, upon termination of the relationship, that all personal data are securely transferred and deleted within the applicable legal or contractual requirements.
We have assisted businesses in a wide variety of such contracts. For example:
- Billion dollar outsourcing contracts;
- Cloud computing arrangements;
- Disaster recovery and business continuity services;
- Outsourcing agreements;
- Job site hosting services;
- Business associate agreements;
- Health data hosting agreements;
- Data processing;
- Electronic storage of company data.
Some of our engagements have raised unusual issues, or pertained to unusual circumstances, such as:
- Health club services agreement where the health club service provider needed access to sensitive employee data;
- Software maintenance agreement where the service provider had access to healthcare data stored in the networks to be maintained;
- Outsourcing of travel agency services;
- Hosting employee human resources data from the global affiliates of a company with a cloud service provider located in the European Union.
Companies must use extreme caution when retaining a service provider to perform any activity that involves access, processing, storage, or disposal of personal data. Structuring and negotiating contracts that pertain to services that require access to personal data present unusual, complex challenges beyond the usual challenges of commercial contracts because they touch upon an area of the law that is highly regulated.