How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • Go back-and-forth until satisfied
    Rate the answer you receive.
Ask Alex J. Your Own Question
Alex J.
Alex J., Solicitor
Category: Law
Satisfied Customers: 4127
Experience:  Solicitors 2 years plus PQE
Type Your Law Question Here...
Alex J. is online now

A US client has asked for the following clause to be added

This answer was rated:

A US client has asked for the following clause to be added to my company's standard terms and conditions. Would this be in accordance with GDPR and/or is there anything else to be concerned about:Data ownership and access:
Given the sensitive nature of data, XXX will follow the Principle of Least Privilege for all data related activities. The Principle of Least Privilege states that a subject should be given only those privileges needed for it to complete its task. If a subject does not need an access right, the subject should not have that right. Further, the function of the subject (as opposed to its identity) should control the assignment of rights. Any data, code, or other artifacts related to personally identifiable information (PII) will be removed from all non YYY systems within 30 days of completion of the contract.

Thank you for your question and welcome. My name is ***** ***** I will assist you. I am data privacy expert. When considering GDPR it only applies to EU citizen and their personal. This would only be an issue in relation to GDPR - if you are processing personal data for EU citizens. Do you know what type of data you are handling?

Generally this clause requires you to restrict who can access the client data, keep a record of who has accessed it - and then remove it from your systems with 30 days. Can you comply with these requirements? Kind regards AJ

Customer: replied 8 days ago.
there could be data relating to EU citizens even though this is a US client. I think it is financial and insurance data.

Thank you. ***** purpose - you need to make sure:

- The client has the lawful basis to process the data - in this case probably consent;

- As the data is being transferred to the UK - this non EU to non EU (following BREXIT) data transfer. So the responsibility to import the data to the US and back out again - is their responsibility.

Your risk as far as GDPR is concerned is probably low.

I would ad a clause in to say:

"To the extent that any PII is subject to GDPR - the client warrants that it has lawful basis to obtain and process the data in accordance with Article 6 of GDPR"

Kind regards AJ

Alex J. and other Law Specialists are ready to help you
Customer: replied 8 days ago.
Great, thank you

Thank you. Could you kindly rate my response? If I can assist any further please do not hesitate to contact me. Kind regards AJ