How do you review the data transfer clause in contracts?
After locating all the data transfer language in each agreement, key things to focus on when reviewing these provisions include:
- What data the clause applies to. As the examples below illustrate, data transfer clauses often include a defined term such as “Personal Data”, “Confidential Information”, or “Protected Health Information”, in which case it will be necessary to review the definition of any such term(s) to ascertain the full scope of the data to which the provision applies. Sometimes, however, the clause may refer to “personal data”, “personal information”, etc. without defining the precise meaning of those terms (see, for instance, examples 3, 4 and 7 below). Some of these terms are defined under various data protection laws - e.g., “personal data” (GDPR) and “personal information” (CCPA and PIPEDA). And while these terms may seem similar, they are generally not interchangeable. Accordingly, when encountering one of these undefined terms in a data transfer clause - or even a defined term in the clause that contains a legislative reference (e.g., “Protected Health Information” may reference the definition of that term under HIPAA) - be sure to check any applicable data protection laws to confirm how those statutes or regulations define them and, by extension, how they should be interpreted for the purposes of that clause. In addition, pay particular attention to any undefined terms in data transfer clauses that do not have corresponding definitions in applicable data protection laws, as the ambiguity this introduces could have problematic consequences - especially if it gives the vendor sufficient interpretive latitude to, say, transfer certain data to a jurisdiction where applicable law does not provide adequate safeguards.
- Restricted transfers. Some data transfer clauses contain clear restrictions on transfer. Example 14 below, for instance, restricts the transfer or processing of Client’s Personal Information outside the European Economic Area without Client’s written consent. Similarly, example 5 below states that no Customer Data or any Backups will be transferred to another country at any time. Note, however, that this example does allow data to be moved to a new location in “the same country of the Customer or the same designated country” without consent or notice. When reviewing any such restrictions on data transfer, be sure to confirm that they are consistent with the requirements of applicable law. Pay attention, as well, to any specific legislative references in the clause and check the relevant language in these laws or regulations to confirm all applicable transfer restrictions. Example 8 below, for instance, refers to the EU-U.S. Privacy Shield Framework and the U.S.-Swiss Safe Harbor Framework, which are rules that the U.S. and the European Union/Switzerland have adopted for the purposes of regulating the international transfer of customer data between them. This means the vendor would have to ensure that any such transfer complies with requirements of those frameworks and any limitations they impose. Incidentally, the Court of Justice of the European Union recently declared the EU-U.S. Privacy Shield invalid. The parties to the contract in example 8 would, therefore, need to revisit its terms to make appropriate modifications in response to this development, which emphasizes the importance of both vendors and controllers being aware of the data protection terms in their contracts so that they can effectively respond to changes in applicable data protection laws.
- Permitted transfers. In addition to (or instead of) restrictions on data transfer, some clauses may contain language permitting the transfer of data in certain circumstances. As mentioned above, the data transfer clause may need to accommodate transfers that are necessary for the vendor to fulfill its contractual obligations. The clause may, therefore, contain a statement indicating that any data the controller shares with the vendor may be transferred to another jurisdiction for this purpose (see, for instance, examples 1 and 2 below). It may also contain language establishing controller’s acknowledgement of and consent to any such transfer (see, for instance, example 3 below). As with restrictions on data transfer, when reviewing any permitted transfers, be sure to confirm that they are consistent with the requirements of applicable law.
- Disclaimers limiting vendor’s risk. Vendors may also seek to limit their responsibility, and by extension their risk, with respect to any data the controller shares with them for the purposes of the contract. The clause may, for example, state that the controller remains responsible for the data, including its appropriate classification and handling requirements (see example 6 below); and some clauses may even specify that, if the controller provides certain data to the vendor, it does so at its own risk, including with respect to any transfer of this data to another location or jurisdiction (see example 11 below). In addition, the vendor may want comfort that the controller has the necessary permission to transfer the relevant data to the vendor for the purposes of the contract (see example 7 below). Such language can be especially useful to vendors that may be several steps removed from the data subjects in the data custody chain and therefore want to ensure that any required consent has been obtained at each step along the way. When encountering a disclaimer in a data transfer clause, be sure to consider whether it is permissible under applicable law (in other words, are there obligations imposed on the vendor by law that it is not permitted to avoid by contract?).
As with the review of any contractual provision, it’s also important to be aware of other provisions that may affect the interpretation of data transfer clauses. Defined terms, for example, were mentioned in point 1 above. The breach response clause and the breach notification clause (if separate from the breach response clause) set out obligations that the vendor may have in the event of a data breach, including providing notice and support to the controller, investigating the breach, and ensuring appropriate measures are taken to contain and resolve it. The indemnification and limitation of liability clauses may contain important information about the vendor’s (and possibly the controller’s) liability exposure arising from a failure to comply with applicable data protection laws regarding the transfer of data subjects’ data. These clauses may supplement any vendor disclaimer of risk in the data transfer clause itself. Finally, although they are not contractual terms, the provisions of applicable data protection laws can help parties interpret these clauses and evaluate the rights, duties and restrictions they establish. Note that the governing law section, which establishes which jurisdiction’s laws apply to an agreement, will generally be insufficient for the purposes of determining what data protection laws apply to both the contract and each party. Vendors and controllers need to consider all the facts and circumstances of their contractual relationship as well as their respective business operations more generally to ascertain all applicable data protection laws.
Software that uses AI to identify and extract data transfer clauses (as well as other terms that may affect their interpretation) can accelerate the work of finding these provisions and enable a more comprehensive review than can otherwise be done manually.
Examples of the data transfer clause
Below are some examples of data transfer clauses from different kinds of agreements. While these examples do not necessarily cover the full range of data transfer clauses one may encounter, they are meant to illustrate the degree to which these provisions can vary from contract to contract. Where an example includes broader contextual language, the data transfer clause is highlighted in bold.
Example 1: From a SaaS Agreement
7.5 International Data Transfers. Our Services are operated in the United States and intended for users located in the United States. If you are located outside of the United States, please be aware that information we collect, including Personal Data, will be transferred to, and processed, stored, and used in the United States in order to provide the Service to you. Where the General Data Protection Regulation applies and our processors of your Personal Data are located outside the European Economic Area, such transfer will only be to a recipient country that ensures an adequate level of data protection.
Example 2: From a License and Services Agreement
Example 3: From a License Agreement
10.3 If Licensor processes any personal data on Your behalf when performing its obligations under this agreement, the parties record their intention that You shall be the data controller and Licensor shall be a data processor and in any such case: a) You acknowledge and agree that, subject to Licensor’s compliance with its duties as data processor, the personal data may be transferred or stored outside the EEA, Switzerland, or the country where You and the Authorised Users are located in order to carry out the Services and Licensor’s other obligations under this Agreement;
b) You shall ensure that You are entitled to transfer the relevant personal data to Licensor so that Licensor may lawfully use, process and transfer the personal data in accordance with this agreement on Your behalf;
Example 4: From a SaaS Agreement
10.4 No Transfer. Nothing in this Agreement shall operate to transfer, assign or otherwise grant to Vendor any right or interest to the Customer Data, unless otherwise expressly.
10.5 Data Transfers outside of EU or EEA. Vendor (and its applicable sub-processors) shall not transfer personal data to a country outside the EU or EEA which the EU Commission has found does not provide an adequate level of protection unless the parties have agreed to such transfer and Vendor ensures that such processing is performed under appropriate safeguards and otherwise complies with the statutory requirements regarding the processing of personal data outside of the EU/EEA.
Example 5: From a SaaS Agreement
7.7. We will, at all times, physically store the Customer Data and any Backups in a designated country. At no point will We transfer, electronically or physically, the Customer Data or any Backups to another country. We cannot warrant in which countries any data is routed through over the internet in the normal course of carrying out the obligations under this Agreement. We may, at any time, without consent and without notice, move the Customer Data to a new location provided that the new location is either within the same country of the Customer or the same designated country.
Example 6: From a Customer License Agreement
Example 7: From a SaaS Agreement
- PERSONAL DATA
14.2 We reserve the right to provide the Services from locations, and/or through use of subcontractors, worldwide. We subscribe to the United States/European Union Safe Harbor Principles and will only use third party providers that are in compliance of the Safe Harbor Principles.
14.3 Customer agrees to provide any notices and obtain any consents related to Customer’s use of the services and Our provision of the Services, including those related to the collection, use, processing, transfer and disclosure of personal information. Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and ownership of all of its data.
Example 8: From a SaaS Agreement
(e) Cross Border Transfers. Where Personal Data originates from the European Economic Area and is transferred to the United States, We will act in compliance with the EU-U.S. Privacy Shield Framework. Where Personal Data originates from Switzerland and is transferred to the United States, We will act in compliance with the U.S.-Swiss Safe Harbor Framework. As of the Effective Date of this SaaS Agreement, We have self- certified to and comply with the EU-U.S. Privacy Shield Framework and the U.S.-Swiss Safe Harbor Framework and will maintain such certification throughout the term of this SaaS Agreement.
- International Transfer. Your information is stored on controlled servers with limited access and may be stored and processed in the United States or another country where our service providers are located. We offer our Services to individuals located in the United States, and we do not advertise our Services outside the United States. If you are located outside the United States and choose to provide your Personal Information to us, please note that we may transfer your Personal Information to the United States or another country where our service providers are located, and such countries may not provide the same data protection. Those who choose to access and use the Services from outside the United States do so on their own initiative, at their own risk, with this understanding.
Example 10: From a Data Processing Addendum
- Data Transfer. Customer hereby consents to the transfer of the Customer Personal Data to, and processing of the Customer Personal Data in, the United States of America and/or in any other jurisdiction in which Company, its affiliates or its subprocessors have operations. The parties hereby enter into the Standard Contractual Clauses for Processors, as approved by the European Commission under Decision 2010/87/EU, attached hereto as Schedule I and made a part of this DPA in their entirety.
Example 11: From a SaaS Agreement
2.3. Privacy Compliance. Customers are recommended not to store EEA/Swiss/UK personal data (as defined under EU/Swiss/UK relevant law) or any Content that may be governed by industry specific legislation in the Service. The Company is neither the Data Controller nor the Data Processor (as defined under relevant EU/Swiss law) of any personal data Content inputted by Customer or any Authorized User. If Customer or any Authorized User chooses to input personal data Content, Customer shall remain solely liable and responsible for complying with applicable privacy laws with respect to Customer’s and its Authorized Users’ use of the Services and the Content, including but not limited to EU General Data Protection Regulation and any other privacy/data protection obligations in relation to the processing of such Content (including but not limited to the obligations to delete data, process it lawfully, and restrictions regarding transfer outside of the EEA/Switzerland/UK, and responding to data subject access requests). All Content used by or within the Services may be stored on servers located outside of the EEA/Switzerland/UK, unless options (if available) are selected and used by the Customer to retain the data on relevant servers within the EEA/Switzerland/UK. Further, Customer and Authorized Users are not permitted to store maintain, process or transmit sensitive personal information, including but not limited to financial information, country identifications numbers (such as social insurance, social security, driver’s license or passport numbers) or Protected Health Information (as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)) in the Services.
VIII. Transfer Of Your Personal Information Among Jurisdictions.
Example 13: From an Employment Agreement
20.1 The Executive consents to the Group holding and processing both electronically and manually, personal data, including sensitive personal data (as defined in the Data Protection Act 1998) and information contained in e-mail and e-mail attachments it collects, stores and/or processes, which relates to the Executive for the purposes of the administration and management of its business and as may be required by law. It may also be necessary for a Group Company to forward such personal information to other offices it may have or to another Group Company outside the EEA where such company has offices or storage for the processing and/or for administrative purposes and the Executive consents to such Group Company doing so as may be necessary from time to time.
Example 14: From a Master Services Agreement
C. For compliance with EU Data Protection Directive:
1. Each of Client and Provider warrants that it will implement and maintain appropriate written policies, the terms of which are reasonably designed to ensure its compliance with the EEA Data Protection Laws.
2. In respect to any Personal Information processed pursuant to this Agreement by Provider, Provider warrants and undertakes that it shall, and any of its subcontractors shall:…
c. not cause or permit the Personal Information to be transferred or otherwise processed outside the European Economic Area without the prior written consent of Client.
3. In the event that the services involve the processing of Personal Information outside the European Economic Area, the parties agree to execute the Standard Contractual Clauses for Data Processors established in Third Countries pursuant to the Commission Decision (2010/87/EU) of 5 February 2010 under the EU Directive 95/46/EC. In addition, to the extent that the Services involve processing of Personal Information transferred from Germany, the Parties agree to use commercially reasonable efforts to execute additional terms as agreed between the Parties.
Example 15: From a Master Statement of Work
9.7 Additional Warranties for Handling of Sensitive Personal Information.
The following section is applicable when Supplier is handling Sensitive Personal Information (SPI) on behalf of Buyer or Customer. Examples of SPI include Social Security Number (SSN)) or other governmentally issued identification number such as driver’s license or passport number, bank account number and credit card or debit card number. SPI is considered Confidential Information.
1. Supplier shall not transfer or disclose Personal Data to any third party without the prior written consent of Buyer. Supplier shall put in place with any third party to whom it transfers or discloses Personal Data an agreement sufficient to ensure that such third party treats Personal Data in accordance with the provisions of this Agreement. Supplier shall ensure that any third party to whom it transfers or discloses Personal Data has implemented a data privacy incident reporting process for the immediate reporting to Buyer of any potential or actual privacy and/or security breaches. Supplier shall conduct an ongoing (annual or when changes occur) privacy assessment and security validation of those third parties to whom it has transferred Personal Data.