How to correctly negotiate and draft a treatment manager contract. The conflicting points.

Within the framework of a client-supplier commercial relationship, it is common for the supplier company to require processing of personal data that is under the responsibility of the client company in order to provide the contracted services. 

In these cases, Article 28 of the GDPR requires the signing of a contract commonly called a data processing agreement or DPA. This agreement must establish the object, scope and conditions that will regulate the processing under the instructions of the person responsible for the data, the client company.

In today's article we are going to expose the main aspects to take into consideration when negotiating or reviewing this type of contracts.

Treatment manager contracts

1- Treatment description:

This point is critical and the position of our client does not matter when reviewing the contract. This activity It must always fall on the person responsible for the treatment. Defining the treatment provides control over said treatment, which, from the point of view of contractual responsibility, is in the interest of both parties to fall on the person responsible for the treatment. 

In practice, it is not unusual for the description of the purposes of the processing to consist of a generic reference to the object of the service provision contract or to the order form; however, it is important to ensure that the sum of the documents is also limited. the categories of interested parties and type of data that will be processed.

2- Deadlines that must be considered:

In general, it is necessary to take into consideration three deadlines: 

• the duration of the contract, which is usually linked to the main contract; 
• the deadline for sending requests for rights from the processor to the controller; and
• the notification period of the detection of a security breach by the person in charge.

The last two deadlines, of course, are interesting to modulate. according to the interests of the part of the contract that we defend. Even with this, we must not forget that, within the legal deadlines, the contract must agree on deadlines whose effective compliance is reasonable. Thus, for the submission of rights requests, a period of 3 – 5 business days would be appropriate and, for the notification of security breaches, a period of 48 hours – 72 hours from detection would be fair and realistic to be able to communicate the violation with information. enough. In this sense, let us remember that the AEPD in its last security breach guide has interpreted article 33.2 of the RGPD postulating that the person in charge has a maximum period of 72 hours to inform the person responsible.

3- Subcontracting and international transfers:

Again, regardless of which party in the contract we advise, it is advisable to avoid general authorization formulas for subcontracting, being preferable record the relationship of subcontractors in the contract, thus guaranteeing that the person responsible maintains control over the treatment commissioned.

From the point of view of the manager who subcontracts, he is responsible for transmitting to his subcontractors terms equivalent to those agreed with the client. This duty acquires special complexity in the outsourcing of services cloud to large suppliers that for the provision of these services they also normally subcontract to numerous companies and, on occasions, carry out international transfers beyond our control. In these cases, the most advisable thing when applying for contracts with the public sector or RFPs from the private sector is to be clear about the compliance scenario that we can guarantee.

4- Security measures:

Paradoxically, neither the GDPR nor the European Data Protection Board have given an unequivocal answer as to who must propose appropriate security measures to guarantee the security of the data, although they have shown their preference for being the person responsible for the treatment as a figure obliged to analyze the risks inherent to it. Regardless of this, the The duty to validate the proposed measures always falls on the person responsible. 

5- Audits:

The limits and content of the power of control over the activities of the person in charge are always a point of conflict, since their implementation entails costs for the project that are always important to avoid. 

Both Most common ways to monitor compliance of those in charge are:

• Request for certificates of compliance with international standards. 
• Carrying out audits by the person responsible or independent third parties on the activities and systems of the person in charge. 

The request for certificates must be made with knowledge of the facts; It is common that their scope does not contemplate or partially contemplates the information systems or assets involved in the provision of the service, which is why they are not usually effective. 

It is important to detail the performance of audits, being reasonable to be assumed by the person responsible for the treatment, with a certain advance notice and justification, and that its execution does not hinder the operations of the person in charge. 

A recommended measure, prior to contracting the services, is to ask the manager to complete a self-assessment questionnaire that serves the person in charge to know the degree of reliability of the person in charge.

6- Responsibility:

Liability clauses are usually a dispute between lawyers, as it could not be otherwise. each side wants to sweep home. However, the most advisable and quickest way to negotiate is agree on clauses of self-responsibility and indemnity to the other party, very much in line with the provisions of art.82 of the RGPD.