GDPR: data processing agreement

Contract that must be signed (electronically) by both parties.

CiviCRM LLC should (probably more a needs to) take proper legal advice on the ToS/Privacy Notice for Spark.

The LLC is after all bearing the risk financially for issues with the policy - worth paying properly to get it right.

added Documentation label

Example contracts from other hosting companies:

• https://www.siteground.com/viewtos/data_processing_agreement
• https://www.hostpapa.co.uk/terms/data-processing-addendum/
• https://legal.hubspot.com/dpa

Lawyers will copy-paste something standard. We should probably come up with something basic first. The HubSpot terms seem like a good start, since we should consider the California CCPA as well.

This is something the CT needs to do since Spark is their thing and they bear the legal risk on this. Should probably stop EU signups until this is in place. It's irresponsible to allow EU signups for a non-compliant service. The legal risks to the organisations using Spark and to the LLC are pretty severe and all GDPR liabilities are shared by all parties in breach.

Can you provide more info on the extra-judicial aspect?

I would avoid restricting EU, Russia, China, etc, would rather let organizations chose, since this is difficult for us to enforce.

Extra-territoriality: https://hsfnotes.com/data/2019/12/02/edpb-adopts-final-guidelines-on-gdpr-extra-territoriality/

Liabilities between controllers and processors: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/

Worth noting that CiviCRM's own data processing (of customer, community member, contributor data) is also not GDPR compliant.

thanks!

We probably have a few issues for GDPR on the website. I found this one: marketing/marketing-admin#2 (closed) (which you linked to this issue, but for some reason is not showing up).

Starting from the HubSpot terms may get you close (worth noting that the terms themselves are intellectual property and copying them verbatim is not a great idea!)

of course :)

We can buy a template, but it's a fairly short and easy to understand doc, and other ToS can give us a good idea of what might apply to our specific situation.

assigned to @josh and unassigned @Detlev

mentioned in issue marketing/civicrm-website#254 (closed)

For reference, moved here: https://civicrm.com/civicrm-spark-data-processing-agreement/

but still waiting for review.