The Foundations of Privacy Contracting | TrustArc
This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.
Source URL: https://trustarc.com/resource/privacy-contracting-foundations/
Content Type: resource
Section 1
Privacy PowerUp Series #5 Businesses handle an enormous volume of personal data today, making privacy contracting a crucial aspect of data management. Understanding the intricacies of privacy contracting is essential for legal professionals, especially those working in privacy. This article aims to provide a comprehensive guide to privacy contracting, focusing on Privacy and Security Disclosures, and Policies and Addenda. Setting the stage: The goals of privacy contracting Before getting into the specifics, start by understanding your overarching goal in privacy contracting. Whether you’re building a privacy program from scratch, or trying to keep a customer satisfied, the primary objective should always be to build trust. Robust privacy agreements can establish and reinforce your brand’s credibility, while poor execution of these
Section 2
documents can erode trust. Privacy and security disclosures Think of Privacy and Security Disclosures as the exterior shell of your privacy program. These non-negotiable documents provide vital information on a company’s data protection practices. Also known as a Privacy Disclosure or Privacy Statement, this document explains how a company collects, uses, stores, and shares personal information. A well-crafted Privacy Policy should include: Types of data subjects (website users, customers, partners, employees) Types of information collected How data is used and/or shared Links for data subjects to contact the company or exercise their data subject rights Sub-processors and affiliates disclosure This disclosure provides information about the sub-processors and affiliates a company may share personal data with. It should include: Sub-processor entity
Section 3
details Location of the sub-processor Purpose of data processing Safeguards for data transfer (e.g., DPF, SCCs) Data privacy representative/contact information Technical and organizational measures (TOMS) TOMS set out an organization’s privacy, security, governance, and compliance commitments. Key elements include (as applicable): Encryption measures Data center locations Physical security controls Third-party compliance audits Penetration testing Data deletion, export, and return policies If your organization uses cookies, the Cookie Policy should provide detailed information about the types of cookies collected (essential, analytics, content) and how data subjects can disable or delete certain cookies. Policies and addenda Once you’ve established a solid shell with your Privacy and Security Disclosures, it’s time to get into contracting. These agreements are pivotal in establishing or eroding
Section 4
trust with potential customers. Data Processing Agreement (DPA) A DPA is a legal contract between a data controller and a data processor. It outlines the rights and obligations of the parties involved in data processing. Key clauses typically include: Type of data processed Data processing instructions Duration of data processing rights Obligations of both parties Acceptable use policy This document describes prohibited uses of an organization’s services, content, output, or documentation. It includes: Usage Restrictions Prohibition of illegal, harmful, or offensive use Rights to monitor and enforce prohibitions Accessibility policy For organizations with an online presence, this is where to showcase a commitment to Web Content Accessibility Guidelines (WCAG) 2.1AA (if applicable) Sometimes customers may require further commitments regarding an
Section 5
organization’s security posture. A Security Addendum usually includes: Administrative safeguards (incident response, change management, background checks, etc.) Technical safeguards (physical security, vulnerability scanning, network security, etc.) Organizational safeguards (security program, third-party assessments, disaster recovery, etc.) Business Associate Addendum (BAA) A BAA is a legally binding contract that protects personal health information (PHI). Required under when a Covered Entity uses a Business Associate to perform services involving PHI, it ensures that any party handling PHI adheres to specific standards to protect the data. Ensure strong privacy contracting practices Privacy contracting is not just about compliance; it’s about building and maintaining trust with your customers. By focusing on robust Privacy and Security Disclosures and well-crafted Policies and Addenda, you can establish a
Section 6
strong foundation for your privacy program. Ready to refine your privacy contracting approach? Discover Trust Center by TrustArc Leverage a no-code solution that lets you unify, showcase, and streamline trust and safety information. You can create your own in days versus taking months to build one and make updates instantly. Take a tour of some of the features to see how easy it is to create a modern unified Trust Center! Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series. Privacy Contracting Infographic Save this infographic for a simple overview of the privacy contracting foundations. PowerUp Your Privacy Watch all ten videos in the Privacy PowerUp series – designed to help professionals master the
Section 7
privacy essentials. Read the next article in this series: #6 Choice and Consent: Key Strategies for Data Privacy Getting Started in Privacy Data Collection, Minimization, Retention, Deletion, and Necessity Building a Data Inventory, Mapping, and Records of Processing Activities (ROPA) Understanding Data Subject Rights (Individual Rights) and Their Importance The Foundations of Privacy Contracting Managing the Complexities of International Data Transfers and Onward Transfers Emerging Technologies in Privacy: AI and Machine Learning Privacy Program Management: Buy-In, Governance, and Hierarchy Managing Privacy Across the Organization Assess the Risk Before it Hits Contracts that Count: Mastering the 10 Most Negotiated Provisions in a Data Processing Agreement Selling and Sharing Personal Information Building a Privacy-Approved Vendor Management Program Tracking Technologies: The Hidden Backbone
Section 8
of AdTech and the Looming Privacy Minefield Data Inventory: Next-Level Classification for Privacy Professionals Incident Incoming–Now What?