GDPR Contract Gagging Clause?
Discussion
pingu393 said:
I've been asked to sign a new contract to confirm that I will abide by GDPR.
I interpret one of the clauses (2.1.4) as a gagging clause. Am I right?
I am a self-employed courier and provide services to a courier company.
Extract from contract...
Sort of but not quite.I interpret one of the clauses (2.1.4) as a gagging clause. Am I right?
I am a self-employed courier and provide services to a courier company.
Extract from contract...
What they're trying to say is that by you accepting your contract and performing the role of Data Processor, you will not disclose anything about the data/clients/customers of the Data Controller to the authorities except those things in 2.1.2 that you could be obligated to.
They are trying to protect themselves from a data breach in the event of you saying more than is necessary to an authority. IANAL but high level made up example, plod stop you at a cordoned off building and ask why you need to go in. You are delivering a parcel to (Customer's name is potentially covered under GDPR but may be disclosed to plod). If you then proceed to disclose it's a rabbit buzz monster 9000 in the box and the customer paid for it using card xxxx-xxxx-yyyy-... then you've just fallen over 2.1.4.
They're really trying to get you to defer to them when dealing with authorities as if you make a mistake on their watch, they are liable as the data controller.
Fairly normal GDPR clause imo.
stewjohnst said:
Sort of but not quite.
What they're trying to say is that by you accepting your contract and performing the role of Data Processor, you will not disclose anything about the data/clients/customers of the Data Controller to the authorities except those things in 2.1.2 that you could be obligated to.
They are trying to protect themselves from a data breach in the event of you saying more than is necessary to an authority. IANAL but high level made up example, plod stop you at a cordoned off building and ask why you need to go in. You are delivering a parcel to (Customer's name is potentially covered under GDPR but may be disclosed to plod). If you then proceed to disclose it's a rabbit buzz monster 9000 in the box and the customer paid for it using card xxxx-xxxx-yyyy-... then you've just fallen over 2.1.4.
They're really trying to get you to defer to them when dealing with authorities as if you make a mistake on their watch, they are liable as the data controller.
Fairly normal GDPR clause imo.
Good example. Thanks. I'll sign tomorrow.What they're trying to say is that by you accepting your contract and performing the role of Data Processor, you will not disclose anything about the data/clients/customers of the Data Controller to the authorities except those things in 2.1.2 that you could be obligated to.
They are trying to protect themselves from a data breach in the event of you saying more than is necessary to an authority. IANAL but high level made up example, plod stop you at a cordoned off building and ask why you need to go in. You are delivering a parcel to (Customer's name is potentially covered under GDPR but may be disclosed to plod). If you then proceed to disclose it's a rabbit buzz monster 9000 in the box and the customer paid for it using card xxxx-xxxx-yyyy-... then you've just fallen over 2.1.4.
They're really trying to get you to defer to them when dealing with authorities as if you make a mistake on their watch, they are liable as the data controller.
Fairly normal GDPR clause imo.
It's fine. The purpose of the clause is to enforce the requirement that it be the data controller that notifies the regulator of any breach, and deals with regulator if there is any kind of audit or enquiry. Your responsibility as processor is to notify the controller without undue delay if you become aware of a breach or other issue, or are contacted by a data subject with a request to exercise their rights under articles 15-22. The regulator can of course compel you to talk to them, hence the exception for legal requirement. This is all to cover controller responsibilities under article 24, and processor responsibilities under article 28.
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff