*By Thomaz Corte Real
Contracts are legal agreements that create rights and obligations between the parties involved. The parties agree to perform certain actions or refrain from others, in exchange for some benefit or compensation.
Contract clauses are fundamental for a contract to be effective and fair. They establish the basis for the relationship between the parties involved, ensure that all terms of the agreement are properly complied with and can cover a wide variety of topics, such as contractual term, price, limitation of liability, delivery conditions, execution times , intellectual property, confidentiality and currently, duties and obligations regarding the protection of personal data.
The LGPD – General Law for the Protection of Personal Data does not expressly require the inclusion of contractual clauses or the signing of contracts and specific amendments to regulate activities for the processing of personal data. However, this practice is recommended and forms part of the administrative measures capable of protecting personal data from improper or illegal treatment.
But, what needs to be analyzed before the inclusion of personal data protection clauses in contracts and amendments?
The first analysis to be carried out by the Controller of personal data is to verify whether there are personal data processed within the scope of the legal relationship that will result in the signature of the contract. Thus, it is recommended that the company understands the processing flow of personal data, with the previous mapping of personal data, that is, the analysis of the path that personal data takes from the moment it is collected by the organization until its discard.
If there is no processing of personal data in the object of the contractual relationship, there is no need to mention the inclusion of any clause or guidance in this regard. The parties must declare that they will not process personal data in the object of the established legal relationship.
It happens that many companies, some eager to comply with the legislation, others, out of sheer ignorance, create standard clauses, include them in contractual drafts or amendments and submit them to their suppliers, partners, customers, employees, etc., without carrying out the proper analysis. mentioned and the customization for each specific case.
By carrying out this indiscriminate inclusion of contractual clauses that deal with the protection of personal data, many companies end up assuming unnecessary legal obligations and responsibilities and consequent risks to their business, as they submit to the clauses, providing for the protection of personal data in contracts, whose activities of processing do not involve personal data or, if they do, they are minimal.
The information technology area, for example, was greatly impacted by the LGPD, as it is a sector responsible for managing data that is under the responsibility of numerous companies, but there are some services that fit the case under analysis, for example:
- On-Premises Software Licensing and Updates: in this hiring model, the customer acquires standard software, without customization, and the product is installed locally, in the customer's infrastructure, without the licensor having access to any data stored in the software. Here, there is no relationship involving the processing of personal data, therefore, there is no reason to include clauses to that effect in the contract;
- Technical support: the need for access to personal data to provide the technical support service is something that needs to be agreed between the Parties. In many cases, to provide this service, the company providing the software only accesses the test environment and, therefore, does not collect personal data to solve any problems. In practice, if the company accesses the production environment, if it is responsible for testing in this environment or is going to monitor the operation in some way, it is essential to define obligations, rights and responsibilities regarding the processing of personal data.
Thus, in the environment of the General Data Protection Law and in contractual relationships, there is no pre-defined rule – standard clauses – that fit for all relationships. The conducts need to be analyzed individually and within each scenario.
On the other hand, if in the established contractual relationship there is the processing of personal data, the company must, from the outset, understand which data processing will be covered in that contractual relationship, thus delimiting its position as Controller or Operator of personal data, considering that the law provides for different obligations and responsibilities for each of the data processing agents, and consequently, include specific clauses on that data processing or sign an amendment.
It is also necessary to identify the legal basis that supports the processing of data related to the contract under analysis; establish the minimum safety standards that the Controller expects from the Operator; identify whether the data processing is subject to international data transfer; establish the possibility or not of sharing personal data with third parties; define internal procedures to comply with the holders' requests; establish procedures in the event of a security incident; among other contractual provisions.
Data protection compliance is an increasingly relevant and crucial topic in the business world. With ever-evolving data protection laws and regulations, it is essential that companies are diligent in ensuring compliance with applicable rules and regulations, but such rules must not be an obstacle to business growth and innovation. Companies must strike a balance between complying with regulations and pursuing new business opportunities, and taking a proactive approach to data protection to minimize risk and ensure business continuity.
The adequacy of a contract to the LGPD goes far beyond the simple creation of standard clauses, clauses that do not focus on the details of the processing of personal data established in that relationship and, therefore, do not reflect your real need to use the information. within that contractual relationship. Thinking that you are in compliance with the law, just because you insert general clauses on data protection in your contracts is a mistake that companies commonly make.
Therefore, be alert, complying with the legislation, adapting governance measures and good data protection practices, does not mean stifle business, bureaucratize commercial relations with excessive and even unnecessary administrative measures, such as the insertion of contractual clauses in relationships that do not involve the processing of personal data, which may bring additional risks and costs to the operation.
*Thomaz Côrte Real specializes in Digital, Technology and Business Law. Legal Consultant of the Brazilian Association of Software Companies (ABES) and partner of the law firm MASantos, Côrte Real e Associados – Advogados
EN 
PT 
