The Tour d’ Horizon of Data Law Implications of Digital Twins
Controller may be obligated to delete such personal data, ensuring compliance with applicable data protection regulations. With reference to the Use Cases mentioned above, the use of personal information in Healthcare related DTs, data protection and privacy regulations would get triggered given that the Input data would presumably contain personal data of the individual concerned. However, if the data is related solely to an aircraft engine, or a network, and does not include data related to an individual, then such data protection and privacy regulations may not be applicable. These would be governed under specific legislations, if any, related to the use of non-personal data.
Where non-personal data or technical data is collected and processed, such data may not relate to any specific natural person. There may not be a data subject in these cases. This may include use-cases where the DT is that of a car engine or of an electronic grid, where no personal data related to an individual would be required to create the DT.
3.2 DATA AGREEMENTS
At certain stages of the DT data lifecycle, data may flow between relevant stakeholders. For instance,( i) during the procurement stage, data is acquired from a source,( ii) during the processing stage, the data may be shared with a third-party Data Processor and( iii) lastly, postdeployment, the final data may be shared with relevant stakeholders. In such arrangements, two distinct data agreements often govern the transfer of data:
• Data Controller and Data Subject Agreement: When personal data is collected from an individual( Data Subject), the Data Controller— potentially the DT provider— is required to provide notice and obtain explicit consent as per most jurisdictions. The notice must clearly outline the purpose for data collection and processing, as well as inform the Data Subject of their rights( e. g. access, rectification, and erasure).
• Data Controller and Data Processor Agreement: When the Data Controller engages a third-party Data Processor to process personal data, the relationship must be formalized through a contract. This contract should specify the security standards to be upheld, the responsibilities and liabilities of each party in case of a breach, and the mechanisms for audits and oversight to ensure compliance.
Such agreements are crucial for delineating roles, determining the ownership of data, security obligations, maintaining transparency, and adhering to legal requirements throughout the DT data lifecycle. For instance, agreements between a Data Controller and a Data Processor typically include clauses to ensure the secure handling of data and prevention of unauthorized access:( i) confidentiality of data and its employees,( ii) enabling access to data to authorized individuals within each party ' s organization based on their roles and responsibilities,( iii) technical security measures such as multi-factor authentication, encryption etc.,( iv) compliance with specific data security standards and periodic compliance audits.
Journal of Innovation 79