Relationships with third parties/Intragroup activities
Vendor/Third party assessment
When companies engage service providers, vendors or third parties that collect or process personal data, they shall conduct a due diligence check to ensure that data-related risks are understood, and law-mandated measures are in place. When those parties work with other parties to deliver their services, a full analysis and assessment of the overall risk is needed. Factors like cloud-based, geographical location, data exports, data access must be weighted in before the vendor can be contracted.
Preparation of Data Processing Agreements (“DPAs”), Data Transfer Agreements (“DTAS”) and Standard Contractual Clauses (“SCCs”) where needed
When contracts are entered with entities that will process personal data on your behalf, a DPA might be necessary. If, as part of the engagement, personal data will be exported to other countries, additional clauses and measures. or a DTA might be needed to keep your data processing in compliance. If the data transfers will happen between the European Economic Area and countries outside of it which do not offer a similar level of data protection, then SCCs approved by the European Commission will be necessary. We will help you with your DPAs, DTAs, or SCCs or review the other parties’ and negotiate them so you do not acquire unnecessary risk.
Intragroup Data Transfer Agreements (“IDTAs”)
IDTAs help multinational corporations to exchange personal data, from customers, employees or other, in a compliant way. IDTAs set corporate rules and conditions on how to process data and thus permit the transfer of personal data among affiliates and headquarters. We will help you design your group’s IDTAs and deploy them to be effective.
Support responding to Data Subject Requests (“DSRs”)
When uncertain of your obligations about a DSR or in need of support to fulfill them, we will help you to respond in a compliant and timely manner. It is not uncommon that inadequate response to DSR is escalated and gets the regulator attention with further consequences. We can also help you to anticipate and prepare by creating DSR processes and data preparation plans and training your designated staff to manage those processes.
Support towards external parties / Privacy Authorities
Need support to negotiate with third parties from a Privacy perspective? (Demanding customers, potential investors, service providers, etc.) Need to deal with regulatory bodies? (Privacy authority enquiries, audits, etc.) Need to designate and train your staff to deal with these situations? we can help you get ready to promote and defend your privacy program or the privacy adequacy of your new venture. We can train your staff on how to behave during a dawn raid by a Privacy Authority or, at your wish, we can represent you in all those activities.