Laura Srodon LLB
Director, Solicitor, Notary Public
This Policy (“Policy”) sets out the 9 Data Protection Principles which Howarth and Srodon Notaries Public (“Business”) commits to comply with when processing personal data in the course of its business of providing notarial services.
The steps which must be followed are:
Step 1: Establish whether the Supplier is a Data Controller or a Data Processor
Step 2: Comply with data protection law requirements in the procurement process
Step 3: Check whether personal data will be transferred outside the European Economic Area (EEA)
Step 4: Complete the self-assessment Checklist to ensure compliance with this Policy
This Policy does not apply if the Supplier’s services do not involve the processing of personal data (for example where it is solely a contract for the purchase of goods, such as hardware).
|STEP 1: IDENTIFY WHETHER THE SUPPLIER IS A DATA CONTROLLER OR A DATA PROCESSOR|
Whenever it is proposed to appoint a Supplier to which this Policy applies, it is important to first identify whether the Supplier is a “Data Controller” or a “Data Processor”.
It is important to identify whether the Supplier is a Data Controller or Data Processor because:
SUPPLIER AS A DATA CONTROLLER
SUPPLIER AS A DATA PROCESSOR
SUPPLIER NOT ENGAGED IN “PROCESSING”
If the Supplier will be acting as a Data Controller:
As mentioned above, it is less likely that a Supplier will be acting as Data Controller and the majority of Suppliers will be Data Processors. However, if the Supplier is indeed a Data Controller:
Please note that Data Controllers which are public authorities are less likely to accept a written agreement from the Business as they act under their official authority. In these cases, it may be reasonable for the Business to assume that the Data Controller will comply with its legal obligations even if no agreement is entered into. However, in some cases public authorities may still be considered Data Processors especially if they act outside their official authority and a written agreement (as per Steps 2 and 3) may be required. The Business should ensure that only such minimal possible personal data is shared with such public authorities as is required to carry out the relevant acts.
|STEP 2: COMPLY WITH DATA PROTECTION LAW IN THE PROCUREMENT PROCESS.|
Because the Business will be responsible for the actions of its Data Processors, there are certain steps which must be taken to protect the Business when appointing a Supplier who is a Data Processor.
In addition, when contracting with a Supplier who is a Data Processor, the Business is under a legal obligation to ensure certain mandatory provisions concerning personal data are included in the contract with the Data Processor. These provisions are reflected in the standard Data Processing Agreement.
The following table outlines the practical steps which should be taken during the procurement process to ensure that data protection legal obligations are met.
|STEP||WHAT DOES THIS MEAN IN PRACTICE?|
|Understand the nature of the data processing||Identify the types and amounts of personal data which the Supplier will have access to. The Supplier should only have access to the minimum amount of personal data they need to provide the services.
If the Supplier will have access to payment card data, the agreement will also need to address compliance with Payment Card Industry Data Security Standard (PCI DSS).
|Conduct due diligence on the Supplier||Choose a Supplier providing sufficient guarantees regarding information security and handling of personal data.
It should be ensured the Supplier is able to provide appropriate security protection for the data, taking into account the nature of the personal data and any risks involved (for example, the consequences of a security breach).
|Take additional precautions with special categories of personal data or card payment data.||Pay particular attention to security specifications for the contract if it involves processing special categories of personal data.|
|Ensure the written contract contains or incorporates the data protection clauses||The contract with the Supplier must include specific data protection language, as this is a legal requirement under EU data protection laws.
If the contract is on the Supplier’s standard terms, it will still need to be ensured that the necessary data protection language is included in the contract.
|Note any data transfers outside of the EEA||If any personal data will be transferred outside the EEA (including where the personal data can be accessed remotely from outside the EEA), steps must be taken to ensure that the transfer is lawful. See Step 3 below.|
|Anonymise, pseudonymise or aggregate personal data if possible||These safeguards should be considered to help eliminate data protection risks whenever possible.|
|Limit access to the personal data||The Supplier should have appropriate access controls so that only those involved in the delivery of the services can access the personal data, and access rights are limited to that necessary for each individual’s role.|
|Ensure the Supplier can assist with individual rights requests||The data protection language in the contract must include an obligation on the Supplier to assist the Business to enable individuals to exercise their individual rights. These include rights to access, rectify and erase their personal data, and object to it being used for a particular purpose.
The Supplier must ensure that it can respect these rights (e.g. by rectifying or erasing personal data), when requested to by the Business. The Supplier should also ensure that if it receives any requests in relation to personal data, these are promptly passed on to the Business.
|Check the Supplier’s subcontractors||Essentially, it should be ensured that all data processing terms will be ‘flowed down’ to any subcontractor.|
|Provide notice of the data sharing unless this has been done already||Ensure that the arrangement with the Supplier is covered by the privacy notice given to Personnel or clients, as applicable.
If the arrangement is not adequately covered by the existing notice, consider how to inform them prior to providing their personal data to the Supplier.
|Business monitors the Supplier’s compliance throughout the appointment||Ensure there are reasonable steps in place which allow a Business to monitor the Supplier’s performance with its security and processing obligations. For example, the Business may check the Supplier’s website and look out for any relevant press releases from time to time and regularly (depending on level of engagement and associated risks) ask the Data Processor (e.g. pursuant to the Data Processing Agreement) for information such as a confirmation of the information security measures that the Data Processor has in place from time to time.|
|Establish what will happen to the personal data at the end of the relationship||If there is no longer a need to keep the personal data, because of the termination of the service relationship or because the law no longer requires it, it should be returned to the Business. Make sure the contract terms provide for the return of the personal data to the Business or purging upon request of the Business.|
|STEP 3: CHECK IF PERSONAL DATA WILL BE TRANSFERRED OUTSIDE THE EEA|
This Step 3 should be completed whether the Supplier will be acting as a Data Controller or a Data Processor.
In considering whether to appoint a Supplier, the following should be established:
A ‘transfer’ of personal data includes the following:
Subject to the exceptions set out below, personal data should not be transferred from an EEA country to a non-EEA country unless there are means of providing appropriate safeguards for that personal data.
A small number of countries (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay) have been legally recognised to provide an adequate level of protection and personal data can therefore be transferred from the EEA to those countries. The list of “adequate” countries can be found on the Commission’s website here.
The US is also regarded as “adequate” if the US recipient (whether the Supplier or a subcontractor) is certified with the EU-US Privacy Shield, and their certification covers the type of personal data which will be transferred. If the Supplier wants to rely on Privacy Shield, the recipient’s certification should be checked on the online list. If the Supplier will be relying on Privacy Shield, ensure it is subject to an obligation to maintain its Privacy Shield status for the duration of the agreement (or ensure the relevant US recipient does), and is obliged to enter into an alternative transfer solution if Privacy Shield is no longer valid.
For countries outside the EEA and not listed above an alternative solution has to be adopted before personal data can be transferred. The most relevant to the Business is likely to be requiring the non-EEA recipient to sign up to an approved set of international data transfer clauses, known as the ‘EU Model Clauses’. Which version of the Clauses should be used depends on whether the Supplier is acting as a Controller or a Processor. The EU Model Clauses should not be amended by the parties. The Appendices will need to be completed prior to execution.
Summary of the contractual arrangements which must be in place:
|Country in which personal data will be hosted in, or will be accessible from||How to regulate processing by the Supplier||How to regulate transfers outside the EEA|
|‘Adequate’ countries (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay)
|Use the standard Data Processing Agreement||N/A as the countries offer ‘adequate protection’|
|Non-adequate countries (e.g. Australia, India, China, or US companies not registered with the Privacy Shield)
|Use the standard Data Processing Agreement||Execute the applicable EU Model Clauses|
|US Companies who are certified with the EU-US Privacy Shield, and their certification covers the type of personal data being transferred
|Use the standard Data Processing Agreement||Ensure the Supplier is obliged to remain certified with the Privacy Shield throughout the term of appointment, and to put in place an alternative arrangement if Privacy Shield is no longer valid|
In some circumstances transfers may be made without ensuring appropriate safeguards for the transferred personal data, as explained above. These exceptions will mostly concern transfers instructed by the client rather than transfers to a Supplier of the Business.
|Explicit consent from data subject.||This will only apply where all personal data in the document to be transferred outside the EEA is the personal data of the client and no third party (unless such third party also consented). Consent has to be freely given, unambiguous, informed and confirmed by affirmative action or statement of the data subject. A record of the consent must be retained together with the assessment of possible risks of the transfer and the appropriate safeguards put in place in relation to the transfer.|
|Transfer is necessary for the performance of contract
|This will apply only to contracts between the Business and the data subject or another party on the data subject’s request. This may apply, for example, where the client engages the Business to procure notarisation by foreign notaries. In such cases, the Business should obtain a warranty from the client to the effect that the client has obtained explicit and demonstrable consent from each other data subject whose personal data is included in the document which is subject to the transfer. This exception will also likely apply to transfers to foreign public authorities.|
|Transfer is necessary for important reasons of public interest recognised by law.||This will apply in very limited circumstances, such as in the case of the UK’s substantial public interest in detecting and preventing crime.|
|Information in public registers.||You can transfer overseas part of the personal data on a public register, as long as the person you transfer to complies with any restrictions on access to or use of the information in the register.|
|Transfer is necessary in connection with legal proceedings, legal advice or defending legal rights.||This may apply, for example, where notarised documents are forwarded to a third party law firm in connection with legal proceedings or legal advice.|
These are the main exceptions that are likely to apply. However, in some circumstances further exceptions may apply.
|STEP 4: SELF-ASSESSMENT CHECKLIST FOR COMPLIANCE WITH THIS PROCEDURE|
To ensure compliance with the requirements of this Policy, the self-assessment checklist in Appendix 1 should be completed.
Last updated January 2020
SUPPLIER APPOINTMENT SELF-ASSESSMENT CHECKLIST
This checklist will help you determine whether this Policy has been complied with. If any of your answers is “No”, further information from the Supplier or independent legal advice should be sought.
|HAVE ALL ACTIONS BEEN TAKEN TO ENSURE THE COMPLIANCE OF THE NEW SUPPLIER APPOINTMENT?||
|I have identified what types of personal data will be disclosed to the Supplier.|
|I have identified whether the Supplier will act as a Data Controller or a Data Processor in this processing.|
|I have ensured that our contract with the Supplier addresses data protection compliance in lieu of its role in the processing.|
|I have ensured that the Supplier requires personal data only as much as needed to achieve the purpose for which the Supplier is appointed and not more.|
|I have considered with the Supplier whether providing pseudonymised, anonymised or aggregated personal data is adequate for the processing.|
|For the personal data which is sensitive personal data I have ensured that the Supplier will take additional security measures to protect this personal data.|
|I have taken steps to ensure that the Supplier only allows those within the Supplier with a genuine ‘need-to-know’ to have access to the personal data.|
|I have taken steps to ensure that the Supplier will keep logs or records regarding processing of the personal data, including who accessed the data, when, whether data was changed, deleted, etc.|
|I have taken steps to ensure that the Supplier will store the personal data only as long as needed for the purpose and no longer.|
|I have taken steps to ensure that all personal data will be purged, erased or returned at the end of the appointment.|
|I understand what (if any) other parties will be involved in providing the services and have ensured that the data processing requirements will be flowed down to the subcontractor.|
|The processing requires the personal data to be accessible outside the EEA. I have put a transfer solution in place (see Step 3).|
|I have put in place an internal process to monitor the Supplier's compliance throughout the appointment.|
|I have taken steps to ensure that the relevant individuals have been / will be informed that their personal data will be used for this appointment and disclosed to a Supplier.|
STANDARD DATA PROTECTION TERMS: DATA CONTROLLERS
[INSTRUCTIONS FOR USE: This clause is intended for inclusion in a services agreement where a Supplier will be acting as a Data Controller (i.e. it determines the purposes and means of the processing of the personal data from the Business).
Remove all Drafting Notes prior to sharing with the Supplier]
|“Data Protection Legislation”||shall mean all applicable laws relating to data protection and privacy including (without limitation) the EU Data Protection Directive (95/46/EC) as implemented in each jurisdiction, the EU General Data Protection Regulation (2016/679), the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, and any amending or replacement legislation from time to time;|
|“Customer personal data”||shall mean all personal data (as defined in the Data Protection Legislation) controlled by Customer which is processed by the Supplier in connection with the Services;|
[Ensure the Services Agreement contains defined terms for “Agreement”, “Services”, “Supplier” (which must include all EU affiliates)]
[The formulation below should be used if the transfer of data outside the EEA is not contemplated from the outset. Note that if this wording is used, there is no need to include clause [1.6] and [1.7]
[Alternative clause 1.6 which should be used (in combination with clause 1.6 and 1.7) if there will be a transfer of data from the outset:
Customer hereby consents to Customer personal data being processed outside the EEA, subject to the Supplier’s continued compliance with clause [1.6] and clause [1.7] throughout the duration of this Agreement.]
[Clause 1.6 and 1.7 are only required if data will be transferred from the outset. Use the formulation below if the service provider is based outside the EEA but is not a US-company registered with Privacy Shield:
[The following clause should be included where the Supplier is in the US and certified with Privacy Shield, and its certification covers the data transferred. Note that this clause can still be used if the personal data will subsequently be transferred to a third country by the Supplier, provided the initial transfer is to the US:
The Supplier hereby warrants and represents that as of the Effective Date it is registered with the EU-US Privacy Shield, approved by the European Commission (Decision of 12th July 2016) (“Privacy Shield”). The Supplier further agrees:
(a) to maintain its adherence to the Privacy Shield throughout the duration of this Agreement; and
(b) to immediately inform Customer if at any time the Supplier ceases to be Privacy Shield certified during the term of this Agreement, for whatever reason.]
(a) with Customer’s consent, implement an alternative lawful transfer mechanism; or
(b) allow Customer to terminate the Agreement at no additional cost to Customer.]
PLEASE INCLUDE APPENDIX 1 INCLUDING THE STANDARD CONTRACTUAL CLAUSES
Laura Srodon LLB
Director, Solicitor, Notary Public