For those firmly in the sights of the EU’s General Data Protection Regulation (GDPR), the enforcement date of May 25, 2018, is likely indelibly embedded in their minds. For others, this date may have come and gone without significance, other than perhaps an increased general buzz about GDPR as companies across the globe wrestled with its scope and requirements. Those that were unaffected by the May 25, 2018, deadline cannot necessarily rest easy.
Companies are learning that GDPR’s impact can be felt a number of ways and its reach is growing over time. Specifically, many are seeing provisions relating to representations and warranties involving GDPR compliance appearing in agreements they are being asked to sign. In some ways this situation can present more of a problem than implementing a compliance effort prior to May 25, 2018. That is because these contractual provisions can be very onerous, overbroad, possibly unnecessary, and are often part of a business negotiation with urgency as to the resolution of any disputes.
The reason companies are beginning to see GDPR provisions appear in agreements is because GDPR contains requirements that a company must impose on any other company that processes its data. In this scenario, the company is a “controller,” referring to its obligations to control its own data, and the other company is a “processor,” which the controller must ensure complies with GDPR provisions. A company deemed a controller would have been dealing with GDPR back before the May 25, 2018, deadline. To the contrary, while processors should have been involved in compliance discussion prior to that deadline, for a variety of reasons some are still being surprised by the inclusion of provisions in contracts. However, just because a provision shows up in an agreement for your company to sign, it does not necessarily mean your company is implicated by GDPR. This situation makes this area a minefield and requires companies to proceed very cautiously.
Assume Company A has either not considered GDPR compliance at all or decided it was inapplicable to them as a controller, but recently received a new agreement from Company B requiring Company A to make representations and warranties relating to its GDPR compliance. There are a number of possible scenarios. The first is that the representations and warranties are not appropriate to include in the agreement and should be stricken. Although this scenario requires specific factual analysis, at a high level, this would be the scenario if Company A is not performing any processing of EU citizen personal data for Company B. This scenario is fairly common for several reasons. One reason is that companies such as Company B may try to use uniform agreement provisions for simplicity, relying on the most favorable set of representations. Similarly, Company B may be trying to take the most conservative position, or simply not bothering to edit agreements to remove provisions that are favorable, even if inapplicable. If the inapplicability of the provision is pointed out, hopefully in this scenario Company B will be amenable to removing it because Company A should not be making representations and warranties for complying with a regulation such as GDPR if they are not complying or if they are unsure. In another scenario, there may be insistence in including the provision, but Company A does not believe GDPR is applicable to them. Here, a compromise may be to include language that limits the representation of compliance to applicable regulations. While this result is less ideal than the two parties agreeing GDPR does or does not apply, it can allow Company B to use a more standardized approach.
The final and worst scenario is if Company A realizes through the inclusion of this provision that they are considered processors pursuant to the GDPR and that Company B’s request is not only reasonable, but Company B must get that assurance for its own compliance with GDPR. This scenario can be downright dire if an agreement must be signed and Company A is not complying with GDPR. This last scenario must be avoided. If your company cannot say with certainty whether it is or is not considered a processor for another controller’s data, then the possibility of this last scenario should loom larger than the May 25, 2018, deadline until that question is answered.