Data Protection: Compliance

Data Protection: Compliance

Today, it is usually not enough to simply require the parties to warrant “compliance with applicable laws.” The potential risks of unauthorized disclosure of “personal information” (see section entitled “Personal Information”) may require the parties to identify with unusual specificity which laws apply for compliance purposes, including applicable privacy laws.

A commonly used and popular standard for data-privacy compliance purposes is the European GDPR:

Exemplar N6B-1

Any information containing personal data shall be handled in accordance with all applicable privacy laws and regulations, including without limitation the General Data Protection Regulation, (GDPR) (EU) 2016/679 and equivalent laws and regulations. If for the performance of the Project it is necessary to exchange personal data, the relevant Parties shall determine their respective positions towards each other (either as controller, joint controllers or processor) and the subsequent consequences and responsibilities according to the GDPR as soon as possible after the last date of signature of this Agreement and where required implement these in a separate written agreement.

In the following exemplars, the parties expressly and specifically identify other data-privacy legal standards for compliance purposes:

Exemplar N6B-2

For the purposes of this NDA, “Privacy Laws” means all state, federal, and international laws and regulations, including (without limitation): the California Consumer Protection Act of 2018 (“CCPA”), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations and the Health Information Technology for Economic and Clinical Health Act (HITECH) and its implementing regulations (collectively, the “HIPAA Rules”); the Personal Information Protection Act of the Republic of Korea (“PIPA”) and the Enforcement Decree of PIPA; the laws and regulations of Australia and its States and Territories with respect to privacy and the protection of personal information, including (without limitation) the Australian Privacy Act 1988 (Cth) (“Australian Privacy Act”) and Australian Privacy Principles under the Australian Privacy Act; and laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom, related to data privacy, including (without limitation) the EU General Data Protection Regulation (2016/679) (“GDPR”) and any applicable national implementing laws.

Exemplar N6B-3

“Data Protection and Privacy Laws” means all country, federal, state, foreign and local laws, rules, regulations, directives and governmental or data protection authority decisions, in each case, having the force of law applicable to the collection, processing, use, storage, transmission and/or disclosure of Personal Data, Personal Information, personally identifiable information, sensitive personal information and Special Categories of Personal Data, including, without limitation, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the California Consumer Protection Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Privacy and Electronic Communications Directive 2002 (or “ePrivacy Directive"), the (UK) Data Protection Act 2018, the (Swiss) Federal Act on Data Protection of 19 June 1992, and Title V of the Gramm-Leach-Bliley Act of 1999, all of which as they may be amended and/or superseded from time to time.

The parties can also expressly refer to laws, regulations, rules and standards specific to a particular industry, such as the credit-card industry as shown in the following exemplar:

Exemplar N6B-4

Without limiting the generality of the foregoing (i) the Receiving Party shall adhere to requirements of the Payment Card Industry Data Security Standard in effect from time to time ("PCI DSS"), in connection with all use, if any, of Personal Data that is "cardholder data" or "sensitive authentication data" (as each such term is used in PCI DSS); (ii) the Receiving Party must include reasonable policies and procedures for detecting, preventing and mitigating identity theft that conform to regulations and guidelines promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 and rules and regulations adopted thereunder; and (iii) the parties shall each comply with all Applicable Laws. "Applicable Law" means any privacy, data security, breach notification, identity theft or other United States federal or state law applicable to Personal Data. For purposes of this Agreement, references to and compliance with Applicable Law shall mean reference to and compliance with any Applicable Law of the jurisdiction in which an individual whose Personal Data included in Confidential Information resides, even if any such Applicable Law does not otherwise impose a direct obligation on the Receiving Party.