How can I adapt my Contracts to the LGPD?
Will any personal data be shared? (e.g. name, CPF, clients’ or collaborators’ addresses)
If yes, you must adjust! Why?
Mitigate risks: by defining contractual rules on the sharing of personal data with third parties, you avoid non-compliance with data protection legislation by these third parties and, consequently, the application of joint and several liability.
Good practices: according to the General Data Protection Law (LGPD), establishing specific obligations for those involved in data processing is considered a good practice.
Reduce sanctions: under the LGPD, adopting good practices will be considered when setting administrative sanctions, making it possible to reduce penalties for companies that adopt good practices.
Accountability: according to the LGPD, processing agents must adopt measures capable of proving compliance with personal data protection rules. Contracts can therefore help with this accountability process.
What Should I Look Out for Before Hiring?
Contracting policy with third parties
Before hiring, it is necessary to assess whether the third parties with whom the data will be shared have the minimum requirements to guarantee information security and data protection.
You can carry out this assessment as follows:
Evaluation criteria: define the criteria according to the activities contracted and the risk involved in the data-sharing process using a risk matrix (low, medium, and high).
Due Diligence e Auditoria:
Check if the third party has:
* privacy notice/policy;
* (a) information security and (b) retention and disposal policies;
* communication channel with data subjects;
*communication channel with the Data Protection Officer (DPO)
* incident action plan;
*internal guidelines.
Adoption of Technical Measures: determines data-sharing processes with third parties, to guarantee information security and define technical and operational guidelines.
How do I Adjust my Contracts?
Pre-existing
Amendment: when there is already a contract in place, it is recommended to sign an addendum to this contract to insert the rules regarding data protection according to each specific contract (i.e. considering the degree of risk in sharing the personal data involved in the relationship).
Sharing contract: when there is no written contract, it is advisable, at the very least, to sign a data-sharing agreement to regulate such sharing.
New Contracts
Set Clauses: it is advisable to define template clauses according to the risk involved in the contract, defining whether a (a) simplified template (low-medium risk) or a (b) robust template (high risk) will be used.
Which Clauses Should I Include in my Contracts?
Defining the controller and the processor: define who is the controller, who makes decisions about data processing, and the operator, who carries out the controller’s decisions. Or whether there is a joint or single controller.
Purpose of treatment: indicate why the data is being processed and why it will be shared with the third party and the limits of use.
List of shared data: list what data will be shared, including the categories of this data, for example: financial data, sensitive personal data…
Compliance with data protection: indicate which laws and regulations must be observed during the performance of the contract, including those published by the National Data Protection Authority (“ANPD”)
Security measures: define minimum standards for information security
Notifications and security incidents: define guidelines for reporting data incidents. For example, setting a deadline of 24 hours for the processor to inform the controller of an information security incident.
Processing record: defining obligations for the parties to justify the processing of data based on a legal basis provided for in the LGPD.
Compliance with data subjects rights: provide guarantees regarding the exercise of data subjects’ rights, such as indicating communication channels available to data subjects.
Civil liability: set rules on the non-contractual liability of the parties.
International data transfer: determine control measures on the international transfer of data, when necessary. The measures must protect the data being transferred, by complying with the ANPD’s ordinances and regulations.
Audit: determine how the auditing process will be conducted by the parties or by third parties.
Sub-contracting: set rules on the subcontracting of third parties to carry out one or more treatment operations, so that sub operators offer equivalent security to the main contract.
Elimination and disposal: set rules on the disposal and elimination of shared data after the termination of the contract or the end of data processing, observing the rules on the maintenance of data on legal/judicial grounds.
.