European Commission Releases Draft Standard Contractual Clauses for Article 28 Data Processing Agreements
On November 12, 2020, somewhat in the shadow of the new standard contractual clauses for data transfers to recipients outside the European Economic Area (“EEA”), the European Commission also adopted draft standard contractual clauses to be used between controllers and processors in the EEA (“EEA Controller-Processor SCCs”).
The EEA Controller-Processor SCCs are aimed at assisting organizations that rely on third parties in the EEA to perform certain data processing activities on their behalf (i.e., “data processors”) to comply with their obligations under the EU General Data Protection Regulation (“GDPR”). In particular, Article 28 of the GDPR requires data controllers to put in place an agreement (or other legal act) when outsourcing data processing activities to a data processor and sets forth the data protection obligations that must be covered in such data processing agreement. These data protection obligations include duties for the data processor with respect to: (1) compliance with the data controller’s processing instructions; (2) return or erasure of data at the end of the data processing services; (3) information security; (4) providing assistance to the data controller in complying with the latter’s obligations under the GDPR, such as in relation to data subject rights requests, notification of data breaches and data protection impact assessments; (5) allowing and supporting audits conducted by the data controller or another auditor; and (6) engagement of sub-processors.
With the EEA Controller-Processor SCCs, the European Commission seeks to provide organizations subject to the GDPR with a standard data processing agreement that meets the requirements set forth in the GDPR, as envisioned by Article 28(7) of the GDPR. In addition to the data protection obligations set forth in the body of the contractual clauses, the EEA Controller-Processor SCCs contain a number of annexes that must be completed by the parties, including to provide a detailed description of the: data processing activity; information security measures; data controller’s instructions, special restrictions and/or safeguards concerning the processing of sensitive personal data; sub-processors involved in the data processing activities; and measures by which the data processor is required to assist the data controller.
The use of EEA Controller-Processor SCCs will not be mandatory, and organizations will continue to be able to use their own customized data processing agreements to meet their obligations under Article 28 of the GDPR. However, the EEA Controller-Processor SCCs give a clear signal of the level of detail that the European Commission expects to see in these data processing agreements.
The draft EEA Controller-Processor SCCs are open for public consultation until December 10, 2020, and feedback may be submitted here.