In addition to issuing new Standard Contractual Clauses (SCCs) for international transfers of personal data to a third country outside the EEA, the European Commission has also published the finalised Article 28 SCCs for use between controllers and processors. The Article 28 SCCs came into force on 27 June 2021. Unlike the SCCs for international data transfers, it will not be mandatory to use the Article 28 SCCs. Companies may therefore continue to negotiate their own individual contracts addressing the compulsory elements of Article 28(3) and (4) of the GDPR.
Article 28 of the GDPR provides that, where a processor carries out processing of personal data on behalf of a controller, the parties must enter into a written agreement which shall impose specified obligations on a processor, in particular those referred to in Article 28(3) and (4) of the GDPR. Article 28(7) of the GDPR provides the European Commission with the power to adopt standard contractual clauses to address the requirements in Article 28 of the GDPR.
Whilst it will not be mandatory to use the Article 28 SCCs, they provide a useful benchmark for businesses against which they can consider their individual data processing contracts, and show the level of detail that the European Commission expects to see in such contracts.
Its worth noting that the Article 28 SCCs cannot ensure compliance with the obligations relating to international transfers under Chapter V of the GDPR, and therefore cannot be used to legitimise international transfers of data. This is confirmed by clause 1(f) of the Article 28 SCCs. The new SCCs for international transfers do, however, contain clauses to comply with Article 28 of the GDPR, and can therefore be used for compliance with both Article 28 of the GDPR, and Article 46 of the GDPR.
We have set out some key takeaways of the Article 28 SCCs below.
- No modification – The Article 28 SCCs cannot be modified, except for adding information to the Annexes or updating information in them. This does not prevent the parties from including the clauses in a wider contract, or adding other clauses (such as applicable law and jurisdiction), provided that they do not contradict the Article 28 SCCs, or undermine the protection afforded by the GDPR (clause 2).
- Conflict – In the event of contradiction between the Article 28 SCCs and the provisions of related agreements between the parties existing either at the time the Article 28 clauses are agreed or entered into thereafter, the Article 28 SCCs will prevail (clause 4).
- Docking clause – There is an optional docking clause which enables new parties to accede to the clauses at any time as a controller or processor by completing the Annexes, and signing Annex I (clause 5).
- Erasure/Return of Data – Unlike the draft Article 28 SCCS, which were published last November 2020 for public consultation, the finalised Article 28 SCCs do not require the parties to agree whether the processor must erase or return the personal data upon the termination of the processing services. Instead, the controller retains the choice as to whether the processor must delete or return the personal data, until following termination of the contract (clause 10(d)).
- Audits – The finalised SCCs no longer require a controller mandating an audit to bear the costs of such audit. The SCCs are now silent on the issue of costs (clause 7.6(d)).
- Use of Sub-Processors – The Article 28 SCCs provide the parties with two options in regard to the appointment of sub-processors, including: (1) prior specific authorisation for each new sub-processor, or (2) general written authorisation to sub-processors from an agreed list. Both options require the parties to agree on the notice period the processor must give the controller prior to engaging a new sub-processor, so that the controller has sufficient time to either consent to (in respect of option 1) or object to (in respect of option 2) the new sub-processor. Neither option deals with the consequence of the controller objecting to the new sub-processor. The Article 28 SCCs also provide that, in circumstances where the controller requests a copy of the sub-processing agreement, the processor may, to the extent necessary to protect business secrets or other confidential information, redact the text of such agreement prior to sharing it with the controller (clauses 7.7(c)). In addition, the processor is required to include a third party beneficiary clause in a sub-processor contract, providing that, in the event that the processor factually disappears or ceases to exist in law, or becomes insolvent, that the controller shall have the right to terminate the sub-processor contract, and instruct the sub-processor to erase or return the personal data (clause 7.7 (e)).
- International Transfers – The Article 28 SCCS require the processor and any sub-processor to ensure compliance with Chapter V of the GDPR. They state that such compliance can be ensured by using the SCCs for international transfers, provided the conditions for use of those SCCs are met (clause 7.8).
- Assistance to the controller – In some instances, the Article 28 SCCs go beyond what is required by the GDPR. For example, there is a contractual obligation for the processor to assist the controller with its obligation to ensure personal data is accurate, by informing the controller without delay if it becomes aware that data is inaccurate or has become outdated (clause 8(c)(3)).
- Data Breaches – The requirement in the draft Article 28 SCCs for the processor to inform the controller within 48 hours after becoming aware of a data breach has been deleted. Instead, the finalised clause merely requires the processor (in regard to a breach by the processor) to notify the controller of the data breach “without undue delay” (clause 9.2).
- Termination – Without prejudice to any provisions of the GDPR, the Article 28 SCCs provide the controller with the right to suspend or terminate processing in certain instances. For example, the controller has an express right to terminate the contract if the processor is in breach of the clauses, or fails to comply with a binding decision of a competent court or competent supervisory authority regarding its obligations under the clauses or under the GDPR. The processor also has a right to terminate the contract where, after informing the controller that its instructions infringe applicable legal requirements, the controller insists on compliance with the instructions (clause 10).
- Annexes – The Article 28 SCCs contain four annexes that must be completed by the parties.
- Annex 1 requires the parties to complete the list of the parties to the agreement, and enables new parties to accede to the agreement at any time as controller or processor.
- Annex II requires the parties to set out a detailed description of the data processing, including the categories of data subjects whose personal data is processed; types of personal data; the safeguards in place in respect of any sensitive data processed; the nature, purpose and duration of the processing. For processing by sub-processors, the parties must also specify the subject-matter, nature and duration of processing.
- Annex III requires the parties to set out the technical and organisational measures that the processor shall implement to ensure the security of the data. These measures must be described in a specific, rather than generic, manner.
- Annex IV requires the parties to complete a list of sub-processors that the processor is permitted to use, in circumstances where the controller requires the processor to have its specific prior written authorisation to appoint any sub-processor.
The finalised Article 28 SCCs take into account the Joint Opinion of the EDPB and EDPS on the draft Article 28 SCCs. They are also largely in line (although in some cases go further) with what the EDPB has recommended should be included in data processing contracts in order to meet the requirements of Article 28(3) and (4) of the GDPR. The draft EDPB Guidelines on the concepts of controller and processor (07/2020), provides some guidance on the content of data processing contracts. In particular, the EDPB highlighted that an Article 28 contract should not merely restate the provisions of the GDPR, but rather should include more specific, detailed information as to how the parties will meet the requirements set out in Article 28 of the GDPR.
The EDPB also recommends that the data processing contract should set out specific information about the security measures that the processor must implement. The Article 28 SCCs require the parties to provide such detailed information. Annex III requires the processor to specify the security measures it has in place, such as pseudonymisation and encryption measures, ongoing confidentiality; user identification and authorisation measures; data storage protections, physical security, events logging, and so forth.
This is information which businesses may not have included in their data processing contracts to date, or at least not to the extent expected by the draft EDPB Guidelines and as reflected in the Article 28 SCCs. Businesses will therefore need to consider including more detailed information going forward, in particular regarding the security measures they have in place.