Policy, Program and Procedures

 View Only

  • 1.  Privacy Agreement

    Posted 10-26-2022 11:29 AM
    Does anyone have a standard privacy agreement they would like to share for their vendors?


  • 2.  RE: Privacy Agreement

    Posted 11-01-2022 02:00 PM

    Hi Tanner,

    Having a Privacy / Data Processing Agreement between your organization and your vendor is a great way to establish the terms of how the personal data you share with them can or will be used.  When creating an in-house privacy agreement, it is always best practice to have your legal team review prior to implementing a new document. Here are some provisions you may want to consider:

    Vendor Obligations:

    1. Compliance with Instructions – Vendor will only process Customer Data for the purposes of described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law.
    2. Conflict of Laws - If vendor become aware that they cannot Process Customer Data in accordance with your Instructions due to a legal requirement under any applicable law, they will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Customer Data) until such time as you issue new Instructions with which they are able to comply.
    3. Security – Vendor will implement and maintain appropriate technical and organizational measures to protect Customer Data from Customer Data Breaches. Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
    4. Confidentiality - Vendor will ensure that any personnel whom they authorize to Process Customer Data on your behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Customer Data.
    5. Notification of Customer Data Breaches – Vendor with notify you without undue delay if they become aware of a data breach and promptly provide assistance to enable you to notify authorities and/or affected data subjects if required to do so under Data Protection Laws.
    6. Deletion or return of Customer Data – Vendor shall delete or return all Customer Data processed pursuant to the DPA upon expiration or termination of the services provided. This provision shall apply except where they are required by applicable law to retain some or all of the Customer Data.

        Sub-Processors:

        1. Use of Sub-Processors – Vendor may engage Sub-Processors to process personal data on your behalf. (Vendor should provide a current list of appointed sub-processors and agree to notify prior to adding/removing). Where the Vendor engages Sub-Processors, the vendor will impose data protection terms that provide at least the same level of protection as those in this DPA. Vendor shall remain responsible for each Sub-Processors compliance with these requirements.

        Data Transfers:

        1. Vendor may access and process personal data on a global basis as needed to provide the services. Personal Data may be transferred within the United States or to other locations where affiliates or sub-processors have operations. Wherever personal data is transferred outside its country or origin, each party will ensure transfers are made in compliance with applicable Data protection laws.

        General Provisions:

        1. Parties to the DPA
        2. Severability
        3. No Waiver
        4. Governing Law
        5. Precedence of Provisions
        6. Limitation of Liability

            Details of the Data Processing:

            1. Nature and Purpose – Vendor will process personal data as necessary to provide the services pursuant to the agreement.
            2. Duration – Vendor will process data for the duration (insert term) of the agreement.
            3. Categories of Data Subjects – dependent on services
            4. Categories of Personal Data – dependent on services
            5. Processing Operation – Personal Data will be processed in accordance with the agreement and may be subject to disclosure in accordance with the agreement and/or as compelled by applicable laws.

                Security Measures:

                1. Security - Vendor shall take reasonable measures designed to: (i) ensure the security and confidentiality of the Customer Data; (ii) protect against any anticipated threats or hazards to the security or integrity of the Customer Data; (iii) protect against unauthorized access to or use of Customer Data, and (iv) ensure proper disposal.
                2. Organization of Data Protection – Vendor shall mitigate risks posed by employees with access to or responsibilities for Customer Information by instituting segregation of duties, conducting employee background checks, requiring non-disclosure agreements, training of personnel regarding information security, and sufficient staffing for the protection of Customer Data.
                3. Access Control – Vendor shall have an effective process to control and secure access to Customer Data based on the principle of least privilege through secure authentication, authorization mechanisms, and access control rules that reflect the risk associated with the information system and the type of information stored therein.
                4. Asset Management – vendor shall securely handle, process and store Customer Data in its systems. Vendor should be able to identify and locate your data and keep it segregated from other customers.
                5. Encryption - Vendor shall employ encryption to address information security objectives for Personal Data to mitigate the risk of unauthorized disclosure or alteration of Customer Information while in transit or in storage on networks or information systems. The type, strength, and quality of encryption should be based on a risk assessment, classification, and latest regulatory requirements and best practices. Cryptographic keys must be protected against unauthorized access, disclosure, modification, and loss.
                6. Physical & environmental Security – Vendor will implement industry standard or better administrative, physical, and technical safeguards to protect Customer Data, its Systems, equipment, and information processing facilities from unauthorized access, acquisition, disclosure, destruction, alteration, accidental loss or misuse.
                7. Data Security Audit Considerations – Vendor shall engage a third party to perform annual audits of its Data Security Measures, and such audits shall cover Data Security Measures of its critical subservice providers. Such third-party audits shall be in the form of a SOC 2 Type II or equivalent, or any successor thereto ("Security Audit").

                    While this is not a complete list of provisions, it should certainly help put you in the right direction.  Also worth noting, if more than just USA privacy laws are in scope, you may need to have additional language in place as some countries do not ensure an adequate level of data protection.

                    I look forward to seeing what others in the community have in place with their vendors.

                    Kind regards,
                    Heather


                    Original Message