Limited Data Clause for Incidental Access
The Parties recognize and agree that: (1) Provider does not provide data storage or processing; (2) Provider is not expected to collect, store, otherwise process, or have directly disclosed to it Customer Data; (3) any Customer Data access Provider may have through the Services would be incidental and meant to be temporary and would not be intended for data processing; and (4) as to Customer Data, Provider is not and will not be a “data processor” pursuant to the European Union’s General Data Protection Regulation (“GDPR”) or a “third party” or “service provider” to Customer pursuant to the California Consumer Privacy Act (“CCPA”), and Provider has and will have no comparable role or status pursuant to other laws governing personal information (collectively with GDPR and CCPA, “Privacy/Security Laws”).*
(a) Consumer Requests and Additional Fees. If Provider receives a “right to know,” deletion, “right to be forgotten,” or similar request related to Customer Data, Provider is not required to respond on Customer’s behalf or on Provider’s own behalf, but Provider may do so. Nothing in this Agreement precludes Provider from asserting rights or defenses it may have under applicable law related to such requests. Customer recognizes and agrees that Provider may charge additional fees (without limitation) (i) for activities (if any) required of Provider by Privacy/Security Laws related to Customer Data and (ii) for activities Customer requests and Provider agrees to perform to help Customer comply with Privacy/Security Laws.
* Subsection 4 adds a conclusion about the law to your contract. But as of 12/13/2021, many jurisdictions’ privacy laws are in flux — even more so than when The Tech Contracts Handbook‘s third edition published. And I’m less confident of Subsection 4’s conclusion. In other words, “incidental access” could qualify for processor or similar status under various statutes. And incidental access could impose other obligations on the provider. As a result, you may gain nothing from terms saying the vendor is not a processor or the like. You should research the current state of applicable privacy law (GDPR, CCPA, etc.). I hope to update this clause, if necessary, as the situation becomes clearer.