Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?

Data Protection & Cyber Security

Russia Small Flag Russia

Processing of data by service providers requires conclusion of the data processing/transfer agreement. The agreement shall contain a number of mandatory terms, namely:

  • list of operations on PII carried out by the service provider;
  • security and confidentiality obligation of the service provider;
  • purposes of the data transfer;
  • list of security measures to be taken by the service provider (in accordance with Russian data protection laws).

Argentina Small Flag Argentina

Decree No. 1558/2001 provides that the data processing agreement must (i) detail the security measures established in the Data Protection Law; (ii) include the parties’ confidentiality obligations; (iii) establish that the data processor will only act as instructed by the data controller; and (iv) establish that the data processor is also bound by the Data Protection Law’s requirements in connection with the security of the data.

In connection with data processing services and international data transfers, please see question 15 below regarding Data Protection Authority Rule Number 60 - E/2016.

Brazil Small Flag Brazil

There is no legal provision requiring minimum contract terms or other restriction related to hiring service providers. Companies shall negotiate contract limits and restrictions between themselves. Nonetheless, the LGPD provides general guidelines related to security issues for data processors and data controllers, and also establishes that this matter can be further regulated by the national authority.

Bulgaria Small Flag Bulgaria

No special national rules have been adopted with regard to minimum contract terms with service providers or any other restrictions relating to the appointment of service providers have been adopted.

The general requirements with regard to engaging data processors in accordance with Article 28 GDPR apply:

  • Controllers may only use processors that guarantee they will implement appropriate technical and organisational measures to protect data subjects' rights.
  • Processors must not engage another processor without the controller's specific or general written authorisation. If the processor wants to add or replace other processors, it must first give the controller an opportunity to object to the changes.
  • Processors must also have a contract or another legal agreement with the controller that, with regards to processing, sets out:
    - The subject matter and duration
    - The nature and purpose
    - The type of personal data and categories of data subjects
    - The controller's obligations and rights
  • The written contract or legal agreement may be in electronic form and specify that the processor:
    - Will only process personal data on the controller's documented instructions; or if EU or member state law requires it and the processor informs the controller about the legal requirement before processing unless the public interest prohibits this disclosure
    - Ensures that authorised persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
    - Has taken required security measures
    - Respects the conditions for engaging another processor
    - Can fulfil the controller's obligation to respond to requests for exercising data subjects' rights
    - Assists the controller in ensuring compliance its obligations under Articles 32 to 36, GDPR, including:
    • implementing security measures to protect processing
    • notifying a personal data breach to the supervisory authority
    • communicating personal data breaches to the data subject
    • carrying out data protection impact assessments, and
    • consulting the supervisory authority prior to processing if the data protection impact assessment indicates this is required.
    - Deletes or returns all personal data to the controller at the end of the provision of processing services, at the controller's discretion and deletes existing copies unless EU or member state law prevents this
    - Makes available all information necessary for the controller to demonstrate compliance, including allowing for and contributing to audits.

Switzerland Small Flag Switzerland

FADP does not require any minimum contract terms. There are also no other explicit restrictions relating to the appointment of service providers. However, the controller of the data file remains liable for data protection infringements by the service provider. It has therefore an interest in diligently selecting service providers and in monitoring the behavior of the service provider.

Spain Small Flag Spain

Data Processing for processors acting on behalf Controllers shall be governed by a contract or other legal act, according to article 28 of GDPR, whose content shall include the obligations listed in the previous article. The Spanish LOPD adds a stipulation that can be included in this contract by which the processor is able to process, on behalf of the Controller, the requests formulated by the data subjects in relation with their rights.

The Spanish authority (AEPD) has released a model of contract between Controllers and Processors which can be used as an indicative model for the parties. It does not have the status of standard clauses for the purposes of article 28.8 of the GDPR. It is only available in Spanish language: https://www.aepd.es/media/guias/guia-directrices-contratos.pdf

Chile Small Flag Chile

Only in processing bank data, the Superintendency of Banks and Financial Institutions shall have authority to issue instructions and adopt all measures aimed at the correction of the irregularities he may observe and, generally, those he may deem necessary in order to protect the interests of the depositors or other creditors and of public interest.

According to the abovementioned, the Superintendency of Banks and Financial Institutions issued a ruling regarding incidents/breaches of security or cybersecurity, in which is mandatory for banks will report all the incidents related to Cybersecurity occurred in the current month, including updated information or complementary to incidents reported in previous periods. It will be understood by Cybersecurity incident any event that threatens or adversely affect the information assets of the institution, as well as the infrastructure that supports it. It will consider alerts to those events registered but not materialized.

In addition, see answer to question 16 and 23.

Germany Small Flag Germany

Where a service provider processes personal data on behalf of the controller and is subject to his instructions as to how he may process this data, the controller and the data processing service provider need to conclude a data processing agreement (DPA), Art. 28 GDPR. The DPA shall regulate the specifics of the data processing the processor conducts for the controller in accordance with Art. 28 (3) GDPR. The controller may only contract processors which guarantee a certain level of data protection. Besides, the controller needs to make sure that the processor adheres to certain standards of processing the personal data. Art. 28 (3) GDPR offers a catalogue of rules a DPA has to stipulate, amongst them the processors commitment to security measures required pursuant to Art. 32 GDPR, the commitment to delete or return all data after the end of the provision of services and to provide the controller with all necessary information to demonstrate compliance. Moreover, the controller is allowed to inspect all measures taken by the processor and conduct audits.

A similar contract needs to be concluded, if two controllers process personal data for joint purposes (Art. 26 GDPR) or shared means of processing.

India Small Flag India

For transfer of PII and sensitive PII, equivalent security standards have to be maintained by the transferee, which would typically be included in the contract between the transferor and the transferee.42 No additional requirements including with respect to minimum contract terms or due diligence of service provider are mandated under the Privacy Rules.

42 - More details relating to transfer are given in our responses to Queries 13 and 15.

China Small Flag China

The PI Specification requires the personal information controller to supervise the processor in the manners including but not limited to establish the processor’s responsibilities and duties through contract and carry out an audit of the processor.41 It also requires the personal information controller to carry out a personal information security impact assessment, ensuring that the delegatee has sufficient data security capabilities and provides sufficient security safeguards.42

41 PI Specification. 8.1 d).
42 PI Specification. 8.1 b).

Indonesia Small Flag Indonesia

In general, there is no requirement of minimum contract terms, nor any forms of restriction, in respect of appointment of service providers under MCI Regulation 20/2016.

However, stricter compliance requirements shall apply for the use of information and technology in banking sector, in which appointment of service provider shall involve a due diligence exercise and evaluation process.

Portugal Small Flag Portugal

GDPR in its article 28 requires the controller to use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Although not mandatory, due diligence or privacy and security assessments are a good mean of ensuring the above goal.

Nevertheless, while the data processor agreement concluded between the controller and the processor, the controller should audit and inspect the processor in order to ensure the later complies with the legal and contractual obligations undertaken.

The GDPR also requires that the processing by a processor shall be governed by a contract that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

Furthermore, it requires the following minimum contract terms under which the service provider:

a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by law to which the processor is subject (in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest)

b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c) takes all measures required by the GDPR to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage;

d) shall not engage another processor without prior specific or general written authorisation of the controller (and in the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes);

e) where engages another processor for carrying out specific processing activities on behalf of the controller (i) the same data protection obligations as set out in the contract between the controller and the processor shall be imposed on that other processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and (ii) shall remain fully liable to the controller for the performance of the other processor's obligations, if the later fails to fulfil them;

f) assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights;

g) assists the controller in ensuring compliance with the obligations concerning security, notification of a data breach to the supervisory authority and to the data subject, DPIAs and prior consultations to the supervisory authority, taking into account the nature of processing and the information available to the processor;

h) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

i) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller;

j) inform the controller if, in its opinion, an instruction infringes the GDPR or other data protection Laws.

United Kingdom Small Flag United Kingdom

Yes, there are minimum mandatory contractual provisions that data processing clauses/contracts with a processor must contain, which includes an obligation to flow-down those obligations to sub-contractors. Failing to include these is itself a breach. If data is being shared between two independent controllers an appropriate data sharing agreement should be entered into by the parties.

The new contractual commitments to be imposed on processors, include assisting with many of the obligations imposed on controllers (such as controllers' obligations to respond to the exercise of data subject rights, data security and other governance obligations).

Processors also have a direct statutory "policing" obligation, to "immediately inform" the controller if, in the processor's opinion, an instruction infringes the Data Protection Act 2018.

A restriction on appointing sub-processors must also be included whereby sub-processors cannot be engaged without the controller's prior consent, which may be general, but if general then proposed changes must be notified in advance to give controllers a chance to object. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub-processor's obligations.

A controller will conduct due diligence on a proposed processor to enable it to show how it has sought to comply with the data protection principles. This will include the security measures that the processor has in place.

Sweden Small Flag Sweden

Yes, according to article 28 of the GDPR, a controller’s appointment of a processor shall be governed by a contract (so-called data processing agreement) or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter, including details about the processing which the processor shall carry out (duration, nature and purpose of the processing, the type of personal data and categories of data subjects) and the obligations and rights of the controller (article 28(3) of the GDPR).

Further, if a controller wants to appoint a processor, the controller must make sure to only appoint such processors who can provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject (article 28(1) of the GDPR).

Greece Small Flag Greece

Law 2472/1997 (article 10) provides that when data processing is conducted on behalf of the data controller by an entity non depending by the latter, the respective assignment should -by way of obligation- be made in writing. This assignment safeguards that the data processor proceeds only upon relevant orders of the data controller and that similar obligations on confidentiality and security of data processing respectively apply upon the former. The Greek draft law (article 38) further provides, under the light of GDPR specific requirements that should be fulfilled in order to engage data processors in processing activities.

In Greece, provisions on the respective requirements in cases of processing carried out on behalf of the data controller are specified under the GDPR. The data processors should guarantee the implementation of appropriate technical and organizational measures along with the confidentiality obligation of the persons authorized to process the data, the assistance in the exercise of rights from the data subjects, provisions on deletion or return of personal data following termination of service provision, making available to the controller all information necessary to demonstrate compliance, prior general or specific authorization for further engagement of data sub processors and performance only upon relevant orders and instruction of the data controller. Furthermore, assistance of the controller is also foreseen with respect to the obligations relating to data breach incidents and DPIAs. The respective assignment is concluded in writing and should precise the scope, duration, nature, purpose of processing, type of data, categories of data subjects, relevant obligations and rights of the contracting parties.

Turkey Small Flag Turkey

There are no specific minimum contract terms to be incorporated into service procurement agreements to be concluded with service providers and no specific regulatory restrictions are applicable to the appointment of service providers. As service providers processing personal data on behalf of the data controller are positioned as data processors, such parties are under data security and non-disclosure obligations, and the data controller is obligated to audit the service provider in this respect, pursuant to Article 12 of the Law No. 6698.

Austria Small Flag Austria

The provisions of art. 28 et seq. GDPR apply to the involvement of processors.

A processor may only be involved if it offers sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing is in accordance with the requirements of the GDPR and the protection of the rights of the data subject is guaranteed.

The controller must conclude a written/electronic contract with the processor. The minimum content of the contract is set forth in art. 28 GDPR. Further provisions are legally possible and are also agreed in practice.

France Small Flag France

Yes, there are minimum mandatory contractual provisions that data processing clauses/contracts with a processor must contain, which includes an obligation to flow-down those obligations to sub-contractors. Failing to include these is itself a breach. If data is being shared between two independent controllers, an appropriate data sharing agreement should be entered into by the parties.

The new contractual commitments to be imposed on processors include assisting with many of the obligations imposed on controllers (such as controllers' obligations to respond to the exercise of data subject rights, data security and other governance obligations).

Processors also have a direct statutory "policing" obligation, to "immediately inform" the controller if, in the processor's opinion, an instruction infringes the GDPR and/or the French DPA 1978.

A restriction on appointing sub-processors must also be included whereby sub-processors cannot be engaged without the controller's prior consent, which may be general, but if general then proposed changes must be notified in advance to give controllers a chance to object. Where that sub-processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub-processor's obligations.

A controller will conduct due diligences on a proposed processor to enable it to show how it has sought to comply with the data protection principles. This will include the security measures that the processor has in place.

United States Small Flag United States

U.S. privacy laws generally do not require minimum contract terms with service providers. However, there are several sector-specific federal laws, such as HIPAA, GLBA, FCRA, FERPA and COPPA, that may require service providers to be retained and governed by written agreements with specific provisions, and the new CCPA also takes this approach. Many state laws highly recommend that a written information security plan be included as part of the contractual requirements for service providers. In addition, California and Massachusetts laws require nonaffiliated service providers to contractually agree to take reasonable and appropriate measures to protect shared personal information, and Connecticut law requires contractors working with the state to encrypt all sensitive personal data that is transmitted wirelessly or via public internet connection or is visible on portable electronic devices. Some states also look to the PCI-DSS as the de facto benchmark for determining whether a service provider is sufficiently secure in the relevant context.

Updated: May 16, 2019