In the second of our three-part series looking at some of the significant drafting issues in property and asset management agreements, Sophie Wood (Managing Associate) and Simon Leaf (Partner) in our Innovation Team look at some of the key issues to consider when negotiating data protection clauses.
When reviewing some of the property and asset management agreements that come across our desks, it can sometimes seem to us that lawyers will often throw in any old data protection clause into the draft and hope that it does the trick. However, without properly analysing the applicability or relevance of the clause itself, there is a danger that parties may be sleepwalking into an issue later down the line. This article considers the three key areas worth considering when deciding what type of data protection provisions may be needed in your agreement.
What personal data is being processed?
When drafting the data protection clause, the first question should always be: what personal data will be processed in connection with the services that are to be provided and under the agreement more generally?
On the one hand, a property management agreement involving a large residential portfolio may involve the processing of a substantial amount of personal data. For example, a property manager may process data relating to residential tenants, building management (for example, incident and/or accident logs or CCTV and EAC systems), and may even process "meter data" if the property manager is responsible for utilities.
On the other hand, the management of a commercial property may not involve the processing of much personal data, in which case the data protection terms are likely to be less of a focus.
Generally, the rule is, the more personal data processed (and the more sensitive that data), the higher the data protection risk within the agreement. The data protection terms, and corresponding liability provisions, should therefore reflect and be proportionate to the data being processed.
What are the data protection roles?
Once you've established what personal data is being processed, it's essential to decipher each party's data protection role. Are the parties data "controllers" or does a controller and processor relationship arise? This will always involve a close factual analysis and determination, so careful consideration of the services being provided will be required to ensure the drafting accurately reflects the nature of the arrangement. The key questions to consider will be:
- Are the parties independent controllers? For example, does each party have freedom to decide how and why personal data is processed, and are the parties processing personal data for their own purposes?
- Are the parties sharing data as "joint controllers"? For example, are the parties jointly deciding how and why personal data is being processed?
- Is one party processing personal data on behalf of the other? For example, it is common for a property manager to only process personal data on the owner's instructions, such that the property manager is acting as a processor only. This will, of course, always turn on the facts, depending on how much freedom or control the property manager has.
This determination is important, as the data terms required will depend on the roles of the parties. In particular, the UK GDPR prescribes certain mandatory terms where a controller to processor relationship arises, and also requires additional terms where a joint controller arrangement arises. The absence of these terms would constitute a technical infringement of the UK GDPR but would also expose the parties to a level of data protection regulatory and legal risk. From a commercial perspective, it is also important to accurately define how data will be used - for example, the owner of the property may seek to restrict any use by the property manager of personal data beyond the relevant relationship, particularly where the manager may also be acting as an operator.
Are there any international data transfers?
Lastly, always check whether there is an international data transfer of personal data within the agreement. If one of the parties is located outside of the EEA/UK, you should consider the impact of the UK GDPR's international data transfer rules:
- First, consider whether the party which will receive the data is located in an "adequate" country – ie a country on the ICO's list (here). If they are, no additional measures are required.
- Second, if one party is in the US, check if they are a signatory to the UK-US Data Privacy Framework register (available here). If the US-based party is on the list, then no additional measures are required.
- If neither of the above apply, then you should implement "appropriate safeguards" – ie the EU standard contractual clauses and the UK Addendum. These are standard, pre-approved, unamendable clauses that are commonly included in commercial agreements to enable the lawful transfer of personal data.
Although the UK is currently subject to relatively light-touch regulation of data protection law, it is still important for those involved in commercial property agreements to be aware of the data protection implications. It is not uncommon for contractual disputes to arise in relation to personal data provisions, and if data subjects choose to exercise their rights under data protection law (or, indeed, issue claims), then the costs can be significant. Parties to agreements would be well advised to make sure they get their analysis – and drafting – right in the first place.
If you have any questions on how to draft data terms in property and asset management agreements or other commercial agreements more generally, then please feel free to get in touch.