What is a permitted use of data clause?

When a business (a controller) enters into a contract with another (a vendor) to obtain products or services, it may need to share certain data pertaining to its customers, employees, contractors, etc. (each a data subject) with the vendor for the purposes of that contract.¹ Often, this data includes information of a personal or sensitive nature, and applicable data protection laws² may impose certain obligations on these businesses with respect thereto. To comply with these data protection laws, vendors and controllers generally need to add specific terms to their contracts regarding the protection of data subjects’ data. This includes the permitted use of data clause, which is a contractual provision that establishes rules governing the use of any data the controller shares with the vendor, having regard to the facts and circumstances of their business relationship and applicable law. In most cases, the vendor will be permitted to use the data only for the purposes detailed in the agreement and in accordance with any additional instructions it may receive from the controller. Similarly, controllers may be required by law to have permitted use of data clauses in their contracts with data subjects, or in their privacy policies, that describe the purpose for which the data subjects’ data is being collected and how it will be used.

Permitted use of data clauses are typically found in contracts that, by their nature, involve the collection, processing, use, and/or storage of data, such as data processing agreements, SaaS agreements, and business associate agreements as well as any schedules, addendums or policies relating to data protection that may supplement these agreements.

¹ In this article, the terms “controller”, “vendor” and “data subject” are used to differentiate among the following: (i) businesses that have the authority to direct how and when data in their possession may be used by others, including third parties (controllers); (ii) third party businesses that provide products or services to businesses described in (i) (vendors); and (iii) individuals (natural persons) that provide data to (or whose data is collected by) businesses described in (i) (data subjects). Certain data protection laws also contain similar defined terms - for example, GDPR uses “data controller”, “data processor” and “data subject”, respectively. While these legal terms may overlap with the terms “controller”, “vendor” and “data subject” as used in this article, they are not necessarily an exact match. For example, a “vendor” for the purposes of this article could also be a “data controller” (or its equivalent) under applicable law.

² In this article, the term “data protection law” means any law, regulation, etc. pertaining to privacy and/or data security.

How do you review the permitted use of data clause in contracts?

After locating all the permitted use of data language in each agreement, key things to focus on when reviewing these provisions include:

1. What data the clause applies to. As the examples below illustrate, permitted use of data clauses often include a defined term such as “Personal Data”, “Confidential Information” or “Protected Health Information”, in which case it will be necessary to review the definition of any such term(s) to ascertain the full scope of the data to which the provision applies. Sometimes, however, the clause may refer to “personal data”, “personal information”, etc. without defining the precise meaning of those terms (see, for instance, examples 2, 8 and 10 below). Some of these terms are defined under various data protection laws - e.g., “personal data” (GDPR) and “personal information” (CCPA and PIPEDA). And while these terms may seem similar, they are generally not interchangeable. Accordingly, when encountering one of these undefined terms in a permitted use of data clause - or even a defined term in the clause that contains a legislative reference (e.g., “Protected Health Information” may reference the definition of that term under HIPAA) - be sure to check any applicable data protection laws to confirm how those statutes or regulations define them and, by extension, how they should be interpreted for the purposes of that clause. In addition, pay particular attention to any undefined terms in permitted use of data clauses that do not have corresponding definitions in applicable data protection laws, as the ambiguity this introduces could have problematic consequences - especially if it gives the vendor sufficient interpretive latitude to, say, use certain data for purposes not intended by the controller.
2. The permitted use of the applicable data. Permitted use of data clauses often state something along the lines of “vendor may use [the data] only for the purpose of performing its obligations under the agreement.” To establish the permitted use in such cases, reviewers must also consider the terms of each agreement more generally to determine what the vendor’s obligations are. On the other hand, in agreements between controllers and data subjects, the clause may be more specific about the permitted use(s) of a data subject’s data, which can make it easier to determine what the controller is allowed to do with it. Example 10 below, for instance, lists the purposes for which the controller can use the data subject’s “personal information”. Note, however, that the list is not exhaustive, leaving it up to the discretion of the controller to determine what other uses of data subjects’ “personal information” may be necessary for the controller to “perform [its] contractual obligations and for [its] other legitimate interests.” Be sure to confirm that any language used to describe the permitted use of the relevant data conforms with the requirements of applicable law. This includes ensuring that any specific language on this subject required by law to be added to the contract is, in fact, present in the clause (or elsewhere in the contract).
3. The restricted use of the applicable data. Where a clause states that a vendor shall not use the applicable data for any purpose other than to fulfill its obligations under the agreement, any use of that data outside of this context is generally prohibited. In such cases, the more general review of an agreement’s terms mentioned in point 2 above to establish the permitted use(s) will also help to establish any restrictions on use. Still, parties may sometimes agree, for greater certainty, to include further details about what the vendor is not allowed to do with the data. Example 13 below is particularly thorough in this regard. As with language describing permitted use, be sure to confirm that any language describing restrictions on use adheres to the requirements of applicable law, including ensuring that any specific language on this subject required by law to be added to the contract is, in fact, present in the clause (or elsewhere in the contract).
4. Disclosure of data. Where an agreement involves an exchange of personal or sensitive information, the permitted use of data clause may require the vendor (i) not to disclose that information to any third party without the controller’s consent (unless specifically permitted under the agreement - see, for instance, the carve out for Vendor Affiliates and Third Party Subprocessors in example 6 below) and (ii) to otherwise keep it strictly confidential.

As with the review of any contractual provision, it’s also important to be aware of other provisions that may affect the interpretation of permitted use of data clauses. Defined terms, for example, were mentioned in point 1 above. The breach response clause and the breach notification clause (if separate from the breach response clause) set out obligations that the vendor may have in the event of a data breach, including providing notice and support to the controller, investigating the breach, and ensuring appropriate measures are taken to contain and resolve it. The indemnification and limitation of liability clauses may contain important information about the vendor’s (and possibly the controller’s) liability exposure arising from a failure to comply with applicable data protection laws regarding the permitted use of data subjects’ data. Finally, although they are not contractual terms, the provisions of applicable data protection laws can help parties interpret these clauses and evaluate the rights, duties and restrictions they establish. Note that the governing law section, which establishes which jurisdiction’s laws apply to an agreement, will generally be insufficient for the purposes of determining what data protection laws apply to both the contract and each party. Vendors and controllers need to consider all the facts and circumstances of their contractual relationship as well as their respective business operations more generally to ascertain all applicable data protection laws.

Software that uses AI to identify and extract permitted use of data clauses (as well as other terms that may affect their interpretation) can accelerate the work of finding these provisions and enable a more comprehensive review than can otherwise be done manually.

Examples of the permitted use of data clause

Below are some examples of permitted use of data clauses from different kinds of agreements. While these examples do not necessarily cover the full range of permitted use of data clauses one may encounter, they are meant to illustrate the degree to which these provisions can vary from contract to contract. Where an example includes broader contextual language, the permitted use of data clause is highlighted in bold.

Example 1: From a Data Processing Addendum

2.3 Vendor’s Processing of Personal Data. Vendor shall only Process Personal Data on behalf of and in accordance with Customer’s instructions and shall treat Personal Data as Confidential Information. Customer instructs Vendor to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable order form(s); (ii) Processing initiated by Customer and/or end users in their use of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

Example 2: From a Data Processing Agreement

4. Obligations of the data processor. The data processor and its entire staff shall:

a. Use the personal data that are processed, or which are collected for their incorporation, only for the purpose which is the subject-matter of this processing agreement. In no event, it will be entitled to use the data for its own purposes.

Example 3: From a Data Protection Addendum

a. Selected Firm/Vendor will use University Data only for the purpose of fulfilling its duties under this agreement and will not share such data with or disclose it to any third party without the prior written consent of the University, except as required by this agreement or as otherwise required by law.

Example 4: From a Advertising Services Agreement

Section 16.1. Ownership and Use of Data.

(a) Customer Ownership. Customer owns all (i) Customer Data, and (ii) Customer Derived Data. Customer Data and Customer Derived Data are Customer Confidential Information. To the extent needed to perfect Customer’s ownership in the Customer Data or Customer Derived Data, Service Provider hereby assigns all right, title and interest in Customer Data and Customer Derived Data to Customer. No transfer of title in Customer Data or Customer Derived Data to Service Provider or any Service Provider Agent is implied or shall occur under this Agreement. Customer Data and Customer Derived Data shall not be (i) utilized by Service Provider or any Service Provider Agent for any purpose other than (A) as required to provide the Portal and the Services in accordance with this Agreement, and (B) as permitted under Exhibit 24, (ii) except as permitted under Exhibit 24 , sold, assigned, leased, commercially exploited or otherwise provided or made accessible to Third Parties, whether by or on behalf of Service Provider or a Service Provider Agent, or (iii) used by Service Provider or a Service Provider Agent to assert any lien or other right against or to it. Service Provider shall promptly notify Customer if Service Provider believes that any use of Customer Data or Customer Derived Data by Service Provider or a Service Provider Agent contemplated under this Agreement or to be undertaken as part of the performance of this Agreement is inconsistent with the preceding sentence.

Example 5: From a Data Processing Addendum

2.3 Vendor’s Processing of Personal Data. Vendor shall only Process Personal Data on behalf of and in accordance with Customer’s instructions for the period set out in the Agreement and shall treat Personal Data as Confidential Information. For purposes of Clause 5(a) of the Standard Contractual Clauses, the following are deemed instructions by Customer to Vendor to Process Personal Data: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Account Users in their use of the Service; (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement; and (iv) Processing in accordance with all configuration of the Service by or for Customer.

Example 6: From a Data Protection Addendum

4. Data Privacy.

A. Vendor will use District Data only for the purpose of fulfilling its duties under this Agreement and will not share such data, including anonymized data, with or disclose it to any third party without the prior written consent of the District, except as required by law.

B. District Data will not be stored or processed outside the United States without prior written consent from the District.

C. Vendor will provide access to District Data, including anonymized only to its employees and subcontractors who need to access the data to fulfill Vendor obligations under this Agreement. Vendor will ensure that employees and subcontractors who perform work under this Agreement have read, understood, and received appropriate instruction as to how to comply with the data protection provisions of this Agreement. If Vendor will have access to “education records” for the District’s students as defined under the Family Educational Rights and Privacy Act (FERPA), the Vendor acknowledges that for the purpose of this Agreement it will be designated as a “school official” with “legitimate educational interests” in the District Education records, as those terms have been defined under FERPA and its implementing regulations, and the Vendor agrees to abide by the FERPA limitations and requirements imposed on school officials. Vendor will use the education records only for the purpose of fulfilling its duties under this Agreement for District’s and its End User’s benefit, and will not share such data with or disclose it to any third party except as provided for in this Agreement, required by law, or authorized in writing by the District.

D. Vendor will not use District Data (including metadata) for advertising or marketing purposes unless such use is specifically authorized by this agreement or otherwise authorized in writing by the District.

Example 7: From a Data Processing Agreement

5. Controller and Processor of Personal Data and purpose of the Personal Data Processing

Customer will at all times remain the Controller for the purposes of the Cloud Services, the Agreement, and this Data Processing Agreement. Customer is responsible for compliance with its obligations as a Controller under data protection laws, in particular for justification of any transmission of Personal Data to Vendor (including providing any required notices and obtaining any required consents and authorizations), and for its decisions and actions concerning the Processing and use of the Personal Data.

Vendor is a Processor for the purposes of the Cloud Services, the Agreement, and this Data Processing Agreement. Vendor will Process Personal Data solely for the provision of the Cloud Services, and will not otherwise (i) Process or use Personal Data for purposes other than those set forth in the Agreement or as instructed by Customer in accordance with Section 4, or (ii) disclose such Personal Data to third parties other than Vendor Affiliates or Third Party Subprocessors for the aforementioned purposes or as required by law…

14. Service Analyses

Vendor may (i) compile statistical and other information related to the performance, operation and use of the Cloud Services, and (ii) use data from the Cloud Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (collectively “Service Analyses”).

Example 8: From a Data Processing Addendum

Processing operations

The personal data transferred will be subject to the following basic processing activities:

Scope of Processing:

The Clauses reflect the parties’ agreement with respect to the processing and transfer of personal data specified in this Appendix pursuant to the provision of the “Services” as defined under the MSA.

Personal data may be processed for the following purposes: (a) to provide the Services, (which may include the detection, prevention and resolution of security and technical issues); (b) to respond to customer support requests; and (c) otherwise to fulfill the obligations under the MSA.

Example 9: From a Data Processing Addendum

2.4 Vendor’s Processing of Personal Data. Vendor shall only Process the Personal Data specified in Appendix 1 to the Standard Contractual Clauses. Vendor shall Process Personal Data on behalf of and in accordance with Customer’s instructions and shall treat Personal Data as Confidential Information. Customer instructs Vendor to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Ordering Document, which includes updating the Services and preventing or addressing service or technical issues; (ii) Processing initiated by Customer’s Subscribers in their use of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

Example 10: From a Privacy Policy

How We Use Your Personal Information

The personal information that we collect is used to perform our contractual obligations and for our other legitimate interests. In some cases, we may ask you for your consent to use your personal information, but any consent will be presented to you separately from this Privacy Policy. We may use your personal information for purposes including, but not limited to, the following:

• To deliver services, products, or transactions that you have requested
• To improve our website, including upgrading security measures
• To send you promotional materials or communications regarding our content and services that we feel may be of interest to you
• To evaluate the products and services that we offer and develop new or improved products or services and to better understand our business environment
• For educational purposes, such as polls conducted in webinars
• To conduct general research on topics of interests to us and our customers

Example 11: From a Data Processing Agreement

1. Object of personal data processing

Personal data shall be processed in order to offer and provide goods or services of the provider or of the contracting parties of the provider. The personal data you provide will be further processed for direct marketing purpose via email, phone, text messages or by other electronic means, for advertising and marketing purpose and promotion of goods, services or the brand of the provider or of the contracting parties of the provider. Personal data will be further processed for internal administrative purposes directly related to business activity of the provider to personalize, improve and further develop goods and services of the provider.

Example 12: From a Business Associate Agreement

c. Permissive Uses. The Business Associate may use or disclose Protected Health Information that is disclosed to it by the Covered Entity under the following circumstances:

• Business Associate may use the information for its own management and administration and to carry out the legal responsibilities of the Business Associate.
• Business Associate may disclose the information for its own management and administration and to carry the legal responsibilities of the Business Associate if (1) the disclosure is required by law, or (2) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

Example 13: From a Non-Disclosure Addendum

Use of data.

(1) (a)The Vendor may collect, use, and share student personally identifiable information only for the purposes authorized in the contract between the parties in this agreement and/or with the consent of the student who is the subject of the information or the student’s parent.

(b) The Vendor, working with the District, must obtain the consent of the student or the student’s parent before using student personally identifiable information in a manner that is materially inconsistent with the Vendor’s privacy policy or materially inconsistent with the contract between the parties that applies to the collection of the student personally identifiable information. Vendor will not directly contact the student or the student’s parent, but will work with the District in order to obtain such consent.

(c) The Vendor will not make use of and/or publish, disclose or otherwise disseminate any of the passwords, student information, student performance data, or financial data supplied and/or data stored on the District’s equipment to a third party.

(2) The Vendor shall not:

(a) Sell student personally identifiable information; except that this prohibition does not apply to the purchase, merger, or other type of acquisition of the Vendor, or any assets of the Vendor, by another entity, so long as the successor entity continues to be subject to the provisions of this contract with respect to student personally identifiable information that the Vendor acquired while subject to the provisions of this article;

(b) Use or share student personally identifiable information for purposes of targeted advertising to students; or

(c) Use student personally identifiable information to create a personal profile of a student other than for supporting purposes authorized by the contracting public education entity or with the consent of the student or the student’s parent.

(3) Notwithstanding any provision of paragraph (b) 1 subsection (1) or of subsection (2) of this section to the 2 contrary:

(a) (i) The Vendor may use or disclose student personally identifiable information to:

(A) Ensure legal or regulatory compliance or after pre-approval from the District take precautions against liability;

(B) Respond to or participate in the judicial process;

(C) Protect the safety of users or others on the Vendor’s website, online service, online application, or mobile application; or

(D) Investigate a matter related to public safety.

(ii) If the Vendor uses or discloses student personally identifiable information as allowed in subparagraph (i) of this paragraph (a), the Vendor shall notify the District as soon as possible after the use or disclosure of the information.

(b) The Vendor may use, or disclose student personally identifiable information to, a subcontractor only if the Vendor contractually requires the subcontractor to comply with this contract in its entirety to include CO HB 16-1423 sections 22-16-108 through 22 22-16-111. The provisions of this paragraph (b) apply to the ability of an initial or subsequent subcontractor to further subcontract. If the District determines that an initial or subsequent subcontractor has committed a material breach of the contract that involves the misuse or unauthorized release of student personally identifiable information, the District shall terminate the contract with the Vendor; except that the District is not required to terminate the contract if the Vendor terminates the contract with the subcontractor as soon as possible after the Vendor knows or has reason to know of the initial or subsequent subcontractor’s material breach.

(4) For purposes of this section and section “data destruction”, a student may consent to the use, sharing, or retention of the student’s student personally identifiable information only if the student is at least eighteen years of age or legally emancipated.

Example 14: From a Privacy Policy

1. Use of Personal Information.

We may use, or disclose the personal information we collect for one or more of the following purposes:

• To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a tour of a property, we will use that personal information order to process an application to lease or for payment of rent or other sums due to us.
• To provide, support, personalize, and develop our website, products, and services, including services and activities for which you may have registered through our Website.
• To create, maintain, customize, and secure your account with us.
• To process your requests, purchases, transactions, and payments and prevent transactional fraud.
• To provide you with support and to respond to your inquiries about our communities, including to investigate and address your concerns and monitor and improve our responses.
• To personalize your experience with us and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our website, third-party sites, and via mail, email, or text message (with your consent, where required by law).
• To help maintain the safety, security, and integrity of our communities, website, products and services, databases and other technology assets, and business.
• For testing, research, analysis, and product development, including to develop and improve our communities, website, products, and services.
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
• As described to you when collecting your personal information or as otherwise set forth in the CCPA.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information about our Website users is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

3. Sharing Personal Information

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

We share your personal information with the following categories of third parties:

• Service providers, such as payment processors, parking vendors, insurance providers, IT service providers, security vendors, including onsite at properties and cyber; government agencies, financial institutions, and professional service providers, including attorneys and accountants
• Data aggregators.

Example 15: From a Data Processing Agreement

PURPOSES

The processing by the Data Processor is for the purpose of setting up a secure hosted software application to manage and provide monitoring information for support services offered to clients of the Company. To carry out any agreed functions in relation to this and to provide ongoing support, maintenance and systems enhancements. This process is consistent with the Company’s obligations under the Data Protection Act 1998.