Previous article in series – Data Privacy: Evolution and History of Modern Data Privacy

Contractual and regulated data may coexist within a single complementary context; a contract may be formulated to enforce the adherence to a regulation or set of regulations and a regulation may define the need to have contractual relationships between provider and consumer.

The intent of a contract is to provide for a legally binding instrument that governs the acts, expectations, and behaviors between two or more parties.

A regulation is typically confined to a specific industry or process that involves a provider and consumer (although the term regulation is used occasionally tied to laws).

An example of the interrelationship of contractual and regulated data is how chapter V of the General Data Protection Regulation (GDPR) governs transfer of data outside of the European Union (EU). It refers to it as international transfers. The GDPR specifies that data transmitted outside the EU must have adequate protections in the recipient’s territory/jurisdiction/regime.

Model Contracts

The European Commission (EC), the governing legislative body of the EU, has determined that some countries outside the EU have adequate international commitments or domestic legislation to ensure the proper protection of internationally transferred data. The transfer of data is accomplished by means of model contracts. These model contracts assist with ensuring adequate protections for international transfer of data for countries that have and do not have adequate international commitments or domestic legislation to ensure the proper protection of internationally transferred data. Currently the EC defines two subcategories for model contracts:

• EU controller to non-EU or non-European Economic Area (EEA) controller
• EU controller to non-EU or non-EEA processor

Next article in series – Data Privacy: African & Asia-Pacific Legislations