Data Processing Agreements: Do you need one? Do you Know if you need one?

A recent holding (Shrems II) by the Court of European Justice (CJEU), invalidated the EU-US Privacy Shield Framework on which many U.S. based companies relied to transfer data in and out of the EU and UK. Now, more than ever, properly drafted Data Processing Agreements are critical components of an organization’s compliant privacy framework.

Best practices for providing legal cross-border data transfers

In the European Economic Area (EEA) and United Kingdom (UK) liability for privacy and data protection compliance is shared between the Controller and Data Processor, making agreements between the parties, called a Data Processing Agreement, that set forth minimum data protection standards and related responsibilities between the parties critical for complying with applicable laws. 

After the invalidation of the EU-US Privacy Shield, Binding Corporate Rules (BCR’s) and Standard Contractual Clauses (SCC’s) have become best practices for providing legal cross-border data transfers. 

Kinney Firm Can Help with international data protection and privacy laws compliance

If your organization is transferring data across borders, you should have Data Processing Agreements and Standard Contractual Clauses in place with your vendors (hosting companies, payment processors, analytics provides) and your clients (they will need a data processing agreement with your organization, as one of their processors) in order to comply with applicable data protection and privacy laws. 

Compliance with international data protection and privacy laws now requires a case-by-case assessment of the cross-border data transfer and custom contracts. Kinney Firm can assist you with:

  • Binding Corporate Rules (internal rules for multi-national companies regarding cross-border data transfers). 
  • Standard Contractual Clauses (SCC) Controller to Processor (ex: client agreements).
  • Standard Contractual Clauses (SCC) Controller to Controller (ex: vendor agreements).
  • Adequate additional safeguards for using SCC’s. SCC’s, on their own, may not be enough to maintain data protection and privacy compliance with a particular law. Your data processing agreement may need to offer additional data protection safeguards (technological or operational) in order to offer adequate data protection.

Being proactive in achieving compliance and maintaining compliance and not reacting to a data breach or legal dispute is how to avoid costly privacy-related mistakes.

Schedule Your Data Processing Agreement Assessment

Even if you have Data Processing Agreements in place, they may need to be revised and Standard Contractual Clauses added to maintain data protection and privacy compliance. Schedule your 1-hour consultation with Kinney Firm to determine what you need.