PII Controller/Processor Agreement Policy
ISO/IEC 27701 Toolkit: Version 1 ©CertiKit
PII Controller/Processor Agreement Policy
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document provides guidance about the information that may need to be added to an agreement to cover the requirements of privacy legislation.
Areas of the standard addressed The following area of the ISO27701 standard are addressed by this document: •
Annex A o A.7.2 Conditions for collection and processing ▪ A.7.2.6 Contracts with PII processors ▪ A.7.2.7 Joint PII controller
General guidance The information provided in this document should be used in conjunction with available information from relevant privacy bodies, such as the European Data Protection Board for the GDPR, relating to standard contractual clauses and template data sharing agreements; this policy is based on our understanding of what is generally required it but should be reviewed by a qualified law practitioner before relying upon it in a contract.
Review frequency We would recommend that this document is reviewed whenever additional guidance is published by relevant legislative bodies, such as the EU for the GDPR, or your local supervisory authority.
Version 1
Page 2 of 12
[Insert date]
PII Controller/Processor Agreement Policy
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 12
[Insert date]
PII Controller/Processor Agreement Policy
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 12
[Insert date]
PII Controller/Processor Agreement Policy [Insert classification]
PII Controller/Processor Agreement Policy
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
PIMS-DOC-A72-3
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 12
[Insert date]
PII Controller/Processor Agreement Policy [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 12
DATE
[Insert date]
PII Controller/Processor Agreement Policy [Insert classification]
Contents 1
Introduction ............................................................................................................... 8
2
PII Controller/Processor Agreement Policy ................................................................. 9 2.1 2.1.1 2.1.2 2.1.3 2.1.4 2.1.5 2.1.6 2.1.7
2.2 2.2.1 2.2.2 2.2.3 2.2.4 2.2.5
Version 1
Joint controller relationships ........................................................................................ 9 Purpose of the processing ........................................................................................................... 9 Identity of the organizations involved........................................................................................ 10 PII involved ................................................................................................................................ 10 PII processing and retention ...................................................................................................... 10 Roles and responsibilities .......................................................................................................... 10 PII protection............................................................................................................................. 10 Obligations to PII principals ....................................................................................................... 11
Controller-processor relationships .............................................................................. 11 Subject matter and duration of the processing .......................................................................... 11 Nature and purpose of the processing ....................................................................................... 11 Type of PII and categories of PII principals ................................................................................. 12 Obligations and rights of the controller ..................................................................................... 12 Contractual Terms to be Included .............................................................................................. 12
Page 7 of 12
[Insert date]
PII Controller/Processor Agreement Policy [Insert classification]
1 Introduction [Organization Name] is committed to protecting the personally identifiable information (PII) of its employees, customers, suppliers and other stakeholders and to ensuring its compliance with all relevant legislation. As part of its business, [Organization Name] relies upon a number of third-party organizations to assist in providing a high level of service to its customers, in reaching new markets, and in looking after its employees, amongst a wide range of other activities. Privacy legislation places obligations on a controller of PII to ensure the protection of that data when they are processed by a third party, that is, a joint controller or a processor. In forming a data sharing relationship, privacy legislation is generally quite specific about the fact that a contractual agreement must be in place between the parties involved, and that it should specify key items of information about the PII involved and how it is processed. This policy document sets out the information that must be included in contracts and other agreements that involve the processing of PII. The following related documents are relevant to this procedure: • • • •
Privacy and Data Protection Policy PII Processor Assessment Procedure Procedure for International Transfers of PII PII Principal Request Procedure
Version 1
Page 8 of 12
[Insert date]
PII Controller/Processor Agreement Policy [Insert classification]
2 PII Controller/Processor Agreement Policy It is a requirement of all existing and new contractual agreements between [Organization Name] and third parties where PII is shared or processed, that specific information is detailed, and data protection-related contract terms are included. The contract must generally be legally binding on the joint controller or processor for it to be compliant. The following sections set out the information that is required and the terms that must be included, depending on the nature of the relationship. Important Note: The exact wording of the data protection clauses may vary in each individual contract, and each amendment to an existing contract or creation of a new contract must be subject to review by a qualified legal practitioner with knowledge of the legal framework in the country or countries involved. Standard contractual clauses may be made available by relevant privacy legislative bodies, and these should be used where possible. The GDPR makes provision for the EU and individual supervisory authorities to publish standard contractual clauses (see Article 28 – Processor, points 6,7,8) and, at the current version of this policy document, new SCCs have been published by the European Data Protection Board (EDPB). [See https://edpb.europa.eu/news]. The website of the EDPB must be consulted on a regular basis to check the latest SCCs available.
2.1 Joint controller relationships In those situations where [Organization Name] enters into an arrangement with one or more other organizations for the sharing of PII and these organizations together define the purpose of the processing, then they may be defined as joint controllers of the PII. This situation requires that a clear definition of the roles and responsibilities of each party be established in an agreement so that the PII is appropriately protected and the method of meeting obligations to the PII principal are clear to all parties, including the PII principal themselves. Note that each party remains responsible for compliance with applicable privacy legislation in its entirety, despite the joint relationship. The agreement must include the following aspects of the arrangement.
2.1.1 Purpose of the processing A controller is responsible for defining the purpose of the processing of PII and in a joint controller arrangement this must be clearly agreed between the parties involved. This will generally be described in terms of the expected end result of the processing.
Version 1
Page 9 of 12
[Insert date]
PII Controller/Processor Agreement Policy [Insert classification]
2.1.2 Identity of the organizations involved Each of the organizations that are party to the joint controller relationship must be clearly identified in sufficient detail, for example by listing the organization name, registered address and company number.
2.1.3 PII involved A clear description of the PII that will be collected and processed must be given in as much detail as is available. This should include the types of PII principals, the data items, the source of the data and whether any special category data is involved, as defined by the relevant privacy legislation.
2.1.4 PII processing and retention An overview of the types of processing that will be undertaken with respect to the PII should be given. For example, this could include the storage of the PII in a specified location followed by regular analysis to generate a list of individuals who will receive an email on a specified subject. The retention policy that will apply to the PII must also be defined, together with the methods of disposal of the PII once the retention period has expired.
2.1.5 Roles and responsibilities Within the joint controller relationship, it is likely that the parties will perform specific aspects of the processing, for example one party may collect the PII and another may use it to perform analysis to reach conclusions on behalf of all parties. These roles must be identified and allocated in an agreed way. Specifically, the responsibilities of each party for breach management and notification (to other parties, supervisory authorities and PII principals) must be covered so that actions to be taken are known in advance of an incident.
2.1.6 PII protection The controls that are appropriate for the protection of the PII (such as access control and encryption at rest) must be agreed and documented, and commitment obtained from each of the parties on where and how these controls will be applied.
Version 1
Page 10 of 12
[Insert date]
PII Controller/Processor Agreement Policy [Insert classification]
2.1.7 Obligations to PII principals Agreement must be made about how PII principals will be provided with the required privacy notice information about the processing, such as the identities and contact details of the controllers, retention periods and international transfers. The way in which PII principals will exercise their rights under applicable privacy legislation must be decided and documented, including contact points and procedures for registering and complying with requests for access, withdrawal of consent and other allowable actions.
2.2 Controller-processor relationships In those situations where [Organization Name] is the controller (or joint controller) of the PII and a third party is engaged to assist in processing it, then a controller-processor relationship may be said to be in place. The following information about the processing of PII must be included in each contract with a processor for it to be compliant. This information must be specific to the individual contract and must describe the processing in clear terms, that is, generic descriptions with a wide interpretation must not be used.
2.2.1 Subject matter and duration of the processing The topic or area that the processing is concerned with should be described, together with an indication of the period of time the processing should continue for. A simple example could be “the creation and despatch of marketing materials for a period of one year from the date of contract.” This gives a clear indication of the area the PII is intended to be used in and for how long it should be kept. The processor is therefore not permitted to use the data for any other purpose and cannot retain the data for longer than is contractually agreed.
2.2.2 Nature and purpose of the processing Describe what the processing consists of and the intended reasons for it. A simple example of the nature of the processing could be “the printing of address labels from a list provided by [Organization Name], the attachment of the labels to physical mailing pieces and their dispatch to the recipient.” Similarly, a simple example of the purpose of the processing could be “communication of our product information to individuals who have requested it.” Again, this information is intended to make it clear how the PII will be used and why.
Version 1
Page 11 of 12
[Insert date]
PII Controller/Processor Agreement Policy [Insert classification]
2.2.3 Type of PII and categories of PII principals The PII involved in the processing must be described as clearly as possible, partly in order to give an indication of its level of sensitivity, particularly if special categories of data (for example, genetic and biometric data) are involved. Information about the groups of PII principals that the PII refers to must also be given, in as much detail as is available or appropriate. A simple example could be “name and address of individuals who have requested product information”.
2.2.4 Obligations and rights of the controller The controller of the PII must comply with the relevant privacy legislation and must require the processor to recognise and agree to specific terms that set out how they will assist the controller in remaining within the law. These terms are described in the following section.
2.2.5 Contractual Terms to be Included Privacy legislation generally requires that the controller specify a set of minimum terms related to data protection in the contract. These may require that the processor: • • • • •
• •
Processes the PII only on documented instructions from the controller Ensures that persons authorised to process the PII have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality Takes all measures required to provide a level of security of the PII appropriate to the risk Respects relevant conditions for engaging another processor and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller Assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the PII principal’s rights laid down in relevant privacy legislation Assists the controller in ensuring compliance with their obligations in areas such as breach notification and privacy impact assessment At the choice of the controller, deletes or returns all the PII to the controller after the end of the provision of services relating to processing, and deletes existing copies unless relevant law requires storage of the PII
Version 1
Page 12 of 12
[Insert date]