January 19, 2021

Volume XI, Number 19

Advertisement

January 19, 2021

Subscribe to Latest Legal News and Analysis

January 18, 2021

Subscribe to Latest Legal News and Analysis

European Commission Releases Draft Standard Contractual Clauses for Article 28 Data Processing Agreements

On November 12, 2020, somewhat in the shadow of the new standard contractual clauses for data transfers to recipients outside the European Economic Area (“EEA”), the European Commission also adopted draft standard contractual clauses to be used between controllers and processors in the EEA (“EEA Controller-Processor SCCs”).

The EEA Controller-Processor SCCs are aimed at assisting organizations that rely on third parties in the EEA to perform certain data processing activities on their behalf (i.e., “data processors”) to comply with their obligations under the EU General Data Protection Regulation (“GDPR”). In particular, Article 28 of the GDPR requires data controllers to put in place an agreement (or other legal act) when outsourcing data processing activities to a data processor and sets forth the data protection obligations that must be covered in such data processing agreement. These data protection obligations include duties for the data processor with respect to: (1) compliance with the data controller’s processing instructions; (2) return or erasure of data at the end of the data processing services; (3) information security; (4) providing assistance to the data controller in complying with the latter’s obligations under the GDPR, such as in relation to data subject rights requests, notification of data breaches and data protection impact assessments; (5) allowing and supporting audits conducted by the data controller or another auditor; and (6) engagement of sub-processors.

With the EEA Controller-Processor SCCs, the European Commission seeks to provide organizations subject to the GDPR with a standard data processing agreement that meets the requirements set forth in the GDPR, as envisioned by Article 28(7) of the GDPR. In addition to the data protection obligations set forth in the body of the contractual clauses, the EEA Controller-Processor SCCs contain a number of annexes that must be completed by the parties, including to provide a detailed description of the: data processing activity; information security measures; data controller’s instructions, special restrictions and/or safeguards concerning the processing of sensitive personal data; sub-processors involved in the data processing activities; and measures by which the data processor is required to assist the data controller.

The use of EEA Controller-Processor SCCs will not be mandatory, and organizations will continue to be able to use their own customized data processing agreements to meet their obligations under Article 28 of the GDPR. However, the EEA Controller-Processor SCCs give a clear signal of the level of detail that the European Commission expects to see in these data processing agreements.

The draft EEA Controller-Processor SCCs are open for public consultation until December 10, 2020, and feedback may be submitted here.

 

Advertisement
Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 322
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement