Author Archive
« Older Entries |
Newer Entries »
Issues to consider when negotiating an IT services agreement include:
- Is the engagement for the provision of services, or for delivery of specific deliverables? Or a combination of both?
- Is it a one-off engagement, or likely to be the first of a series of engagements ?
- Is the services provider being paid on a time-spent basis (‘time & materials’/’T&M’), or on delivery of pre-agreed deliverables (‘fixed price’)?
- Is payment for the deliverables subject to user acceptance testing (UAT)? If so, who is responsible for testing, what tests/criteria are used, and is the services provider excused any minor failures? What happens if the deliverable fails UAT?
- Is delivery staged, using pre-agreed milestones? If so, will the milestones trigger interim UATs and/or part payments? What happens in the service provider fails to meet a milestone?
- What rights does the client have if the service provider fails to deliver the deliverable (and/or pass the UAT) by the agreed date? If there is a late delivery payment, is this the client’s only remedy?
- Does the client own the intellectual property rights in the deliverables or other output of the services? If the client is granted a licence instead of ownership, what rights does the service provider retain? What licensing arrangement apply for third party software?
- Is any third party software required in connection with the project? Who is responsible for procuring this software? Is it licensed directly to the customer, or subject to a sub-licence granted by the service provider?
- Are the arrangements between the service provider and its consultants/contractors consistent with the customer acquiring ownership of the IP? Should the customer look for additional comfort regarding assignment of the IP directly from the supplier’s consultants/contractors? If the service provider is a limited company, does the client need separate agreements with the individuals who are actually creating the deliverables?
- What warranties are being provided by the service provider for the deliverables, and for how long?
- If the service provider is an individual contracting via a personal service company, are the arrangements affected by the off-payroll working rules (IR35)?
- Is the engagement ‘fixed’, or can the client terminate the engagement for convenience? If so, how much notice must the client give, and what are the client’s obligations on termination? What if any termination rights does the service provider have?
- Is the service provider restricted from providing services to the customer’s competitors?
- Are there restrictions on the customer hiring/poaching the supplier’s staff?
Tags: fixed price, IPRs, IR35, IT services, personal service company, PSC, T&M, UAT, user acceptance testing
Posted in Uncategorised | No Comments »
An IP assignment is a transfer by the owner (assignor) of its rights, title and interests in specified intellectual property (IP) to the receiver (assignee). Under English law an assignment of intellectual property rights must be in writing to be effective.
Issues to consider when negotiating an IP assignment include:
- On what date is (or was) the assignment effective?
- Have the intellectual property rights (IPRs) that are the subject of the assignment been adequately identified/described, including any registrations or applications?
- Does the assignee already have a copy of the software or other the material in which the IPRs subsist?
- If the assignee is paying for the IPRs, when and how will payment be made? What happens if payment is late?
- What warranties is the assignor giving in relation to the IPRs?
- What indemnities is the assignor giving?
- If copyright is being assigned, has the assignor (or, if different, the original creator of the copyright) waived their moral rights?
- If the assignor is a company, do the individual(s) who created the IPRs need to be parties to the assignment?
Posted in Uncategorised | No Comments »
22/02/21 – On 19 February 2021 the European Commission published two adequacy decisions, one for transfers of personal data to the UK under the GDPR and the other under the Law Enforcement Directive. Although perhaps not surprising, this is still a positive step because it means the Commission has concluded that the UK does ensure an essentially equivalent level of protection to the one guaranteed under both the GDPR and the Law Enforcement Directive, including in relation to the rules for data access by public authorities.
What happens next?
The European Data Protection Board (EDPB) will now review and provide its (non-binding) opinion on the draft decisions. Representatives of each EU member state will then be asked to approve the adequacy decisions (the so-called ‘comitology procedure’) before the decisions are adopted by the Commission. In the meantime data can continue to be transferred from the EEA to the UK under regime set out in the UK-EU Trade and Cooperation Agreement, as discussed in my article UK-EU data transfers from 1st January 2021 – where are we? If the draft adequacy decisions are adopted, they will be valid for four years, following which they will be renewed if the level of protection in the UK continues to be adequate.
Tags: adequacy decision, data protection, data transfer, gdpr, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »
Following initial discussions, you may want to put the key terms down on paper before you start the time consuming and/or costly negotiation of the full contract. This document is known as Heads of Terms, or often just ‘Heads’. Also known as Letter of Intent/LOI or Memorandum of Understanding/MOU.
Issues to consider include:
- Are any of the provisions in the Heads of Terms are intended to be legally binding, eg confidentiality or non-solicitation? Is this clear from the document? Equally, is it clear that the other provisions are intended not to be legally binding?
- Will the supplier be starting work after the Heads of Terms have been signed, but before the full contract is concluded? If so, what happens if the parties fail to agree a full contract, but the supplier has carried out work and/or incurred expenditure?
- Are the parties free to negotiate with third parties once the Heads of Terms have been signed? If so, how long does the restriction continue? What happens if a party does start talking to someone else?
- If a party decides to withdraw without good reason after the Heads of Terms have been signed, are they responsible for some or all of the other party’s wasted legal/other costs? If so, how much? And what constitutes a good reason?
Tags: Heads, heads of terms, legally binding, LOI, MOU
Posted in Uncategorised | No Comments »
Key issues to consider when negotiating a Shareholders’ Agreement include:
Funding
- How will the business be funded?
- If shares are being issued, how are they being paid for (cash, IP, other assets etc)? Will all shareholders have the same type of shares, i.e. the same voting rights and entitlements to dividends and capital?
- If any of the funding is being provided by way of a loan, on what terms is the loan being made and repaid?
Business
- Will the shareholders be agreeing a business plan, either for the first year or two, or on an ongoing, annual basis?
- Is the business being set up for the long term, or with a view to an exit as soon as possible?
Profits
- What proportion of profits will be distributed as dividends, rather than reinvested in the business?
- Will all dividends be distributed to shareholders equally, or will profits be allocated by the board to shareholders based on performance, effort etc?
Employees
- What employees will the company be hiring, and on what terms?
- Will full-time directors be entitled to be paid for their work, over and above their entitlement to any profits?
- Will the company use shares to motivate and retain key employees, whether by way of a share option plan or otherwise?
Directors
- How often will board meetings be held? How many directors need to attend the meeting for the meeting to be quorate, so that decisions can be made?
- Will all board decisions be made by way of a simple majority, or will a different majority (two-thirds, three-quarters etc.) be required for key board decisions?
- Will the right of individual directors to make bank transfers, sign contracts, employ staff, purchase assets etc. be limited?
- How can directors be removed, and/or additional directors appointed?
Decision making
- What types of decisions will the directors need to refer to the shareholders?
- For decisions that require shareholder approval, what percentage of the shareholders is required?
- Will minority shareholders be given any special protections?
Sale of shares
- What happens if a shareholder wants to sell their shares? Should all the other shareholders have first dibs?
- How are the shares valued? By an independent accountant, by reference to a pre-agreed formula, or using some other method?
- If a shareholder dies or is permanently incapacitated, what happens to their shares?
Drag along/tag along
- If the majority (or other minimum percentage) of the shareholders want to sell their shares to a third party, will they be entitled to force (‘drag along’) the remaining shareholders to sell to that third party as well?
- If the majority (or other minimum percentage) of the shareholders propose to sell their shares to a third party, will the remaining shareholders have the right participate (‘tag along’) in the sale to the third party?
Employee shareholders
- If a shareholder is also an employee, do they have to sell their shares if they resign? What if they are fired?
- If a leaving employee shareholder has to sell their shares, does the company have the right to purchase the shares in priority to the other shareholders?
Non-compete restrictions
- What non-compete and/or other restrictions will apply to a shareholder who leaves?
Posted in Uncategorised | No Comments »
Key issues to consider when drafting, reviewing or negotiating an NDA include:
- Should the NDA be mutual or one-way?
- Has the information to be treated as confidential been adequately identified and defined? Does it include information disclosed verbally?
- What information is not confidential, e.g. because it is already in the possession of the receiving party, or the receiving party acquires it independently from the disclosing party?
- Does the NDA need to extend to information disclosed before the NDA is signed?
- Has the purpose for which the receiving party may use the confidential information been adequately identified and defined?
- With whom may the receiving party share the confidential information, e.g. contractors, group companies, professional advisers etc.? Is the receiving party directly responsible for any non-permitted disclosure by those third parties?
- What security measures does the receiving party need to adopt for the confidential information?
- What is the duration of the NDA? Can it be terminated? If the NDA is terminated, how long do the confidentiality obligations themselves continue?
- What are the receiving party’s obligations in terms of returning/destroying confidential information? Is the receiving party able to comply with an obligation to ‘delete all electronic copies’? Is the receiving party entitled to retain a copy of the confidential information, whether for legal/regulatory reasons or otherwise?
Tags: confidentiality agreement, NDA, non disclosure agreement
Posted in Uncategorised | No Comments »
Article 13 of the UK GDPR states that at the time you collect personal data from individuals you must provide them with certain information. The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which is made available to the individual when their personal data is collected, often via a website link like this one. The privacy notice must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).
Where you are not collecting the personal data directly from the individual, Article 14 requires you to provide the individual with the same information as under Article 13 “within a reasonable period after obtaining the personal data, but at the latest within one month”.
Information audit
The first step is to carry out an information audit (also called a ‘data mapping exercise’) so that you understand:
- What personal data your organisation collects, including from customers, suppliers, employees, visitors, job applicants etc.
- How the personal data is collected.
- Where the personal data is stored, and what technical and organisational measures are in place to ensure security.
- What your organisation does with the personal data.
- Whom the personal data is shared with, including data storage and SaaS providers.
- Whether the personal data is transferred to locations outside the UK, and if so where.
- Whether the personal data includes any ‘special category data’, and if so whether any additional safeguards have been put in place.
- How long the personal data is kept.
Privacy notice
The next step is then to create the privacy notice by documenting the output of your information audit. The format and content of an organisation’s privacy notice will of course vary from organisation to organisation, but for many businesses the following list should be a useful start:
- Name of and contact details for the organisation(s) collecting the personal data, i.e. the identity of the controller providing the privacy notice.
- The types of personal data the controller collects, and how the personal data is collected.
- Whether any of the personal data constitutes special category data.
- What the controller intends to do with the personal data.
- The lawful basis for processing the personal data.
- Whom the controller shares the personal data with, and why.
- Whether the controller transfers any personal data outside the UK, and if so details of the relevant transfer mechanism.
- How long the controller keeps the personal data.
- How the controller keeps the personal data secure.
- If the individual is required by law or by contract to provide the personal data, consequences of not providing it.
- Whether the controller uses automated decision-making, including profiling, and if so details of logic involved and consequences of processing for the individual.
- What rights the individual has in relation to their personal data.
Final thoughts…
- When drafting a privacy notice, it’s tempting to take a broad, catch-all approach – “we will or may use your information for some or all of the following purposes…”, followed by a long list covering pretty much everything you can think of. Although strictly speaking accurate, the broad brush approach is likely to struggle to satisfy the “concise, transparent, intelligible” requirement. Put yourself in the data subject’s shoes: having read the privacy notice, would you understand how your personal information will in fact be used, stored, shared, etc?
- Because of the amount of information that you may need (or want) to include, consider adopting a ‘layered’ approach for the privacy notice. This is where you have a high-level, top-layer notice with the key privacy information, with links enabling the data subject to click through a second layer with a bit more detail, and then from the second layer there may be further links to a third layer with the full detail. This layered approach may be particularly useful for mobile or smart devices with small screens.
- There is no requirement for all the privacy notice content to be provided to the data subject in one go, and it may make sense for you to provide the data subject with privacy information at the time that they are actually providing you with their personal data – so-called ‘just-in-time’ notices.
- As your organisation evolves through the use of new technologies and/or you offer of new products and services, it’s likely that personal data will be collected and used in different ways. Put in place a process which ensures that your privacy notice is updated in line with these changes, and then for the updated notice to be communicated to your data subjects.
Tags: data protection, gdpr, information audit, layered privacy notice, privacy notice, privacy policy
Posted in Privacy, Updates | No Comments »
A Data Processing Agreement (DPA) confirms the terms on which one party (the ‘processor’) processes personal data provided or made available by another party (the ‘controller’).
Examples of data processing include arrangements where an organisation provides details of its employees and their remuneration packages to a payroll services provider, or provides lists of its clients’ and stakeholders’ email addresses to an email marketing platform, or uploads its business data to a hosted data storage provider.
As well as being the right thing to do commercially, controllers and processors are required by Art 28(3) of the GDPR (now incorporated into UK law, as amended) to enter into a contract which sets out:
- The subject-matter and duration of the processing
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
The contract must also stipulate the processor obligations listed in paragraphs (a) – (h) of Art 28(3):
- Only process personal data in accordance with the controller’s documented instructions.
- Ensure that individuals authorised to process personal data have committed themselves to confidentiality.
- Implement appropriate technical and organizational measures to ensure the information’s security.
- Assist the controller with its response to any request by a data subject.
- Co-operate with the controller in the event of a personal data breach.
- Co-operate with the controller if the controller carries out a data protection impact assessment.
- Delete or return the personal data at the end of the engagement.
- Not transfer personal data outside of the UK without the controller’s permission.
If a processor wants to engages its own processor (a ‘sub-processor’), the processor must obtain the controller’s specific or general prior authorisation. If the authorisation is general, then the processor must notify the controller of any additional or replacement sub-processor (Art 28(2)). The processor must also enter into a DPA with the sub-processor which imposes on the sub-processor the same data protection obligations as are set out in the DPA between the processor and the controller (Art 28(4)).
Posted in Privacy, Updates | No Comments »
Before committing to a purchase and full deployment, a prospective customer may require a trial or ‘proof of concept’ (POC) of the supplier’s technology. Although a trial will be limited in both duration and scope, many of the implementation, licensing, data processing and liability issues that apply to full deployment will also apply to a trial.
Issues to consider when negotiating a trial/POC agreement include:
- How long will the trial continue? Does the customer have an option to extend the trial?
- What is the scope of the trial? Is the trial limited to a testing or staging environment, or is the customer entitled to deploy the technology in a live, production environment?
- Will the customer provide the supplier with formal feedback during or following the trial? Will the supplier be entitled to use data from the trial and/or customer feedback for marketing purposes?
- Is the customer paying for the trial? Can the customer deduct the trial payment against the charges for a purchase of a full deployment?
- If the trial involves the use of any supplier hardware or other equipment, who is responsible for any loss or damage during the trial?
- Does the trial involve the processing of the customer’s personal data, and require data processing terms to be agreed?
Tags: DPA, POC, trial agreement
Posted in Uncategorised | No Comments »
Next Page »« Previous Page