Please create a universal GDPR compliance form (for all agencies and colleagues in Europe)??? URGENT
Thread poster: Sara Brown

Sara Brown
United Kingdom
Local time: 19:52
Member (2006)
English to Spanish
+ ...
May 18

Maybe something like this that all agencies and colleagues in Europe may find acceptable?

Supplemental GDPR Provisions to your Vendor or Translator Agreement (Terms and Conditions) with Language Services Agencies or Providers.

As you will be aware, the new General Data Protection Regulation (EU) 2016/679 (GDPR) comes into force from 25 May 2018. This requires all contracts between controllers, processors and sub-processors to contain various provisions to ensure that the processing of personal data meets the requirements of the GDPR.
Accordingly, I/we agree that the following provisions will form part of the agreement with effect from 25 May 2018

1. For the purposes of the Agreement, the terms "controller", "data protection impact assessment", "data subject', "personal data', "personal data breach", 'processor" and "processing" shall have the meanings set out in the GDPR (and 'process" and "processed" shall be construed accordingly). "Sensitive personal data" means personal data that reveals such categories of data as are listed in Article 9(1) of the GDPR. For the purposes of the Agreement, personal data includes sensitive personal data.

2. Personal data will be disclosed by Language Services Agencies or Providers and processed by the Vendor or Translator on behalf of Language Services Agencies or Providers in order for the Vendor or Translator to perform its obligations under the agreement.

3. The processing, type and categories of personal data is strictly limited to what is required in order for the Vendor or Translator to provide the services, responsibilities, processes and/or functions that it is required to provide under the Agreement and may include, but is not limited to, customer and employee data, data relating to individuals.

4. The Vendor or Translator shall:

4.1 act only on the written instructions of Language Services Agencies or Providers;

4.2 ensure that anyone processing personal data (including Vendor or Translator's individual employees and contractors where applicable) is subject to confidentiality obligations that are no less onerous than those set out in the agreement;

4.3 take the appropriate technical and organisational security measures to ensure the security of personal data processing in accordance with Article 32 of the GDPR;

4.4 only engage sub-processors with the prior written consent of Language Services Agencies or Providers and under a written agreement with the sub-processor which includes data protection obligations that are no less onerous than those set out in the Agreement;

4.5 assist Language Services Agencies or Providers in providing subject access and allowing data subjects to exercise their rights under Chapter Ill of the GDPR;
4.6 assist Language Services Agencies or Providers in meeting its obligations under Articles 32 to 36 of the GDPR with regard to the security of processing, the notification of personal data breaches and data protection impact assessments;

4.7 delete or return all personal data to Language Services Agencies or Providers upon request unless it is required to retain the personal data by law;

4.8 provide Language Services Agencies or Providers with all information that is reasonably required to show that both Language Services Agencies or Providers and the Vendor or Translator have met the obligations of this supplemental letter;

4.9 submit and contribute where necessary to audits carried out by Language Services Agencies or Providers or an auditor appointed by Language Services Agencies or Providers;

4.10 inform Language Services Agencies or Providers immediately in writing if it believes that it has been given an instruction that would infringe the GDPR or other relevant data protection legislation relating to data provided by us;

4.11 notify Language Services Agencies or Providers of any actual, suspected or 'near miss’ personal data breach which may have occurred in connection with this Agreement as soon as reasonably practicable (and in any event, within twenty-four (24) hours) upon becoming aware of the same; and

4.12 notify Language Services Agencies or Providers promptly (and in any event within forty-eight (48) hours) following its receipt of any actual or purported request or notice or complaint from (or on behalf of) a data subject exercising their rights under the GDPR or any correspondence or communication (whether written or verbal) from the ICO in relation to the processing of the personal data.

5. Please address all GDPR enquiries to ………

Nothing within this supplemental letter or the Agreement relieves the Vendor or Translator of its own direct responsibilities and liabilities under the GDPR.

In all other respects the terms and conditions of the Agreement shall remain unaffected. In the event of any conflict between this supplemental letter and the Agreement, this supplemental letter shall take precedence. Unless otherwise provided the words and expressions defined in, and the rules of interpretation of, the Agreement shall have the same meaning in this supplemental letter. This supplemental letter shall be construed in accordance with the laws of England and Wales and the Parties hereby submit to the exclusive jurisdiction of the English courts.

We would be grateful if you would arrange to return within 1 weeks a copy duly signed to indicate your agreement to the terms contained herein.

Yours faithfully

Language Services Agencies or Providers
We hereby acknowledge and agree to the terms set out in this supplemental letter:


Signature

Name

Date


 

Thomas T. Frost  Identity Verified
Member (2014)
Danish to English
+ ...
4.7 and 4.9 are problematic May 18

Good idea, but if you delete anything you have translated, how do you prove that you have made no mistakes if the outsourcer later claims you have not fulfilled the contract or may be liable for errors? We would need an additional clause to hold the translator harmless against any claim made after requested erasure, and the work would need to have been paid in full. In their privacy policies, corporations also reserve the right to retain personal data for as long as claims can be made against them. This is a legitimate reason, according to the GDPR, to retain personal data.

And an audit in my home is something I'm not willing to accept. I too have privacy rights. An audit by one client could also expose other clients' confidential data – and mine – to said client. It would need to be clearly defined what is to take place during an audit, and if it can be done remotely.

Outsourcers could also anonymise personal data before submitting them for translation.

I think we also need a clause to the effect that if personal data concerned by the GDPR is included in a job, then the outsourcer needs to forward copies of consent from the concerned individuals, including authors of internal reports if their names appear on the forwarded documents.


 

Tina Vonhof
Canada
Local time: 12:52
Member (2006)
Dutch to English
+ ...
Much ado... May 18

From across the ocean it all seems much ado about nothing. I get forms to sign from agencies that I haven't worked with for X number of years, in fact aren't even in my database anymore. The terms on these forms are very vague and don't include any examples of what 'personal data' refers to for the purpose of the GDPR, nor is it explained how the GDPR would be enforced outside Europe. I take reasonable, adequate security precautions to maintain client confidentiality. But I'm not going so far as encrypting data etc., just to comply with the GDPR.

 

John Fossey  Identity Verified
Canada
Local time: 14:52
Member (2008)
French to English
Same here May 22

Tina Vonhof wrote:

From across the ocean it all seems much ado about nothing. I get forms to sign from agencies that I haven't worked with for X number of years, in fact aren't even in my database anymore. The terms on these forms are very vague and don't include any examples of what 'personal data' refers to for the purpose of the GDPR, nor is it explained how the GDPR would be enforced outside Europe. I take reasonable, adequate security precautions to maintain client confidentiality. But I'm not going so far as encrypting data etc., just to comply with the GDPR.


In the last couple of days I have received dozens of emails from European agencies, wanting me to print out multi-page agreements, sign, scan and return. This from some agencies that I have never heard of but am somehow on their database, others that I have not worked for in a decade. And I am supposed to agree to ridiculous terms, such as that I am supposed to promise never to print the source document (it's part of my usual procedure, to have a copy of the source at hand for better understanding), never to take a break or get up from my computer without locking it first (there's nobody else here), never to use any CAT tool except that specified, never to save files without encrypting them, etc., etc.

At first I responded to this tidal wave of emails by pointing out that I am not a European person, now I'm just considering them as spam.

[Edited at 2018-05-22 12:58 GMT]


 

Christine Andersen  Identity Verified
Denmark
Local time: 20:52
Member (2003)
Danish to English
+ ...
Just be realistic May 22

There is an awful lot of confusion about GDPR, and I must admit I am as confused as everybody else, because there seems to be no clear summary anywhere of what requirements actually are. I agree, it is not easy to tell some agencies to calm down and use their common sense, but if they make unreasonable demands, I simply refuse to work with them - I am lucky enough to be able to afford that approach!

I do not consider the ICO in the UK particularly helpful! There are just hundreds of pages of updates of updates…

One folder I downloaded from the ICO contains the following:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
___________________________________________________________________

Article 5 of the GDPR requires that personal data shall be:

“a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

_______________________________________________________________________

I understand from colleagues that
-- encryption is NOT a requirement
-- a password-protected computer IS adequate protection,
provided no unauthorised person is given the password or access to the computer while it is turned on.

Clients cannot in practice enforce ridiculous clauses like demanding that the computer be locked every time you answer the phone or go for a coffee break, unless you leave the computer in a public place where you do not know who can gain access to it.

Like Thomas, I refuse to accept clauses that would allow clients to gain access to my computer or inspect my premises. These clients would almost certainly not agree that I could also allow other clients to access my computer in the same way, and inspecting my private premises infringes my privacy and my relatives' personal privacy.

Clients cannot in practice prevent you from printing out a working copy of the document, and of course, you can undertake to ensure that no unauthorised person gains access to them, and that printouts will be destroyed responsibly after use. In some circumstances paper is more secure than digital information anyway...

I do not use the Cloud, Drop-box or facilities like that, but if you do, you need to check that the security is GDPR compliant, and upgrade if necessary.

*** *** ***
My personal attitude to TMs etc. is that the regulations cannot be applied retrospectively.

I have therefore sorted and tidied a lot of my earlier files, and am deleting older backups and outdated material of all sorts which are no longer needed - as time permits and when I get round to it.

However, in principle, anything legally collected and protected in previous years cannot suddenly become illegal now, unless you actively use it illegally.
Professional translators have all signed codes of conduct and NDAs, and we know all about keeping clients' data confidential etc. etc.
So in principle not much changes there either.

Then there is the question of CONSENT.
For our purposes, if a client has submitted a document for translation, then that is consent to the translator's use of the data. An agency is the data controller, and the translator is the data processor.
Subject to NDAs and security procedures, as far as I see it, we simply carry on as usual.
Where possible, the agency can remove personal details before sending a document for translation, but that will not always be possible.

Translators do not normally pass on details to third parties for marketing purposes etc.
That is what the GDPR is really all about. In my humble opinion, we need to be aware of the GDPR and perhaps tighten up procedures for deleting information, or filtering names and sensitive details out of TMs, for instance.

We need to state clearly what security procedures we follow, but do not need to make a lot of major changes if we already act professionally and responsibly.

__________________________________

We may have to reconsider how we add information to TMs, but if they are stored on secure computers, they are to some extent encrypted, as they require special software to open them, and they are not really easily searchable!

With Trados Studio it is possible to make a Project TM, and then attach master TMs as 'read only'. After translating, any identifiable personal details can be deleted from the project TM, or they can perhaps be locked, so that they are not saved in the TM at all, before it is added to the master TM for future reference.

Or, instead of saving the whole document in the TM, relevant terminology and strings can perhaps be extracted and saved in the terminology database, where they will be completely anonymous and detached from personal details.


 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Please create a universal GDPR compliance form (for all agencies and colleagues in Europe)??? URGENT

Advanced search







SDL MultiTerm 2019
Guarantee a unified, consistent and high-quality translation with terminology software by the industry leaders.

SDL MultiTerm 2019 allows translators to create one central location to store and manage multilingual terminology, and with SDL MultiTerm Extract 2019 you can automatically create term lists from your existing documentation to save time.

More info »
Déjà Vu X3
Try it, Love it

Find out why Déjà Vu is today the most flexible, customizable and user-friendly tool on the market. See the brand new features in action: *Completely redesigned user interface *Live Preview *Inline spell checking *Inline

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search