The definition of ”sale” lists this standard as part of what is required to benefit from the exception to the sale of personal data. Where a service provider does not limit these activities to the bare minimum, the transfer is considered the sale of personal data and is subject to the right to opt out when requested by a consumer. However, the CCAC provides a very narrow definition of the concept of ”service provider” and sets strict rules on what service providers can or cannot make of the personal data they receive from businesses. The CCAC distinguishes between service providers and third parties by describing a third party as negative and the requirements of a written contract governing the transfer of data between the parties. According to the design of the law, a ”service provider” is as follows: if a company has the above notification, it may be held liable under the CCAC if the provider receives personal data from the company and uses it in violation of the CCAC. You will probably find that some service providers want to negotiate changes to your language of presentation, due to a greater focus on data protection and digital security. Some service providers have adapted their data processing contracts to make it suitable for use as a service provider contract. The company should check to see if there are other reasons why disclosure is not a sale. With respect to the independent statutory auditor, the company could, for example, say that there is no valid consideration for personal data obtained during the audit, since a statutory auditor does not pay in a reasonable sense the data. The company could also assert that the independent accountant is not a ”third party” at the origin of the ”sale” provision if the company imposes a written contract containing the elements (7) and (8). Note that these items do not contain the ”name” requirement that applies to service providers, so it may be suitable for an independent reviewer. This agreement is often referred to as the data processing agreement (or endorsement if it is attached to an existing master service contract) (DPA).
Standard and prefabricated data protection authorities can be obtained from one of the negotiating parties or can be obtained from branch groups such as .B the Limited Service Providers Agreement (LSPA), published in 2019 by the Interactive Advertising Bureau. Companies can find these ”ready-made” or DPAs of templates to have many advantages, but they also have risks if they are not adapted to the specific needs of a company. Under certain conditions, the following types of businesses may be considered service providers: The following comparison should help you determine whether your business (or a business you work with) is a business or service provider.