The European Data Protection Board (EDPB) has published the final version of standard data processing clauses proposed by the Danish data protection authority (DPA).
Many readers will be familiar with the trials and tribulations of negotiating data processing clauses under Article 28(3) of the General Data Protection Regulation 2016 (GDPR), which requires certain provisions to be in place between controllers and processors.
The European Commission and supervisory authorities across the EU have the power, under Articles 28(6)-(8), to adopt standard contractual clauses (SCCs) that can be used by controllers and processors to comply with Article 28(3). Article 64(1)(d) of the GDPR requires supervisory authorities that are considering adopting SCCs to submit those SCCs to the EDPB for an opinion.
This is exactly what the Danish DPA did in April 2019. The EDPB’s opinion on the SCCs, released in July 2019, welcomed and endorsed the concept of the SCCs but recommended a number of changes. Those changes have now been implemented and the final version of the SCCs published. The clauses are currently only available in Danish but it is expected they will be published in all EU languages.
What are the implications?
Controllers and processors do not have to use the SCCs, but if they do, they must be adopted “as is”. The EDPB makes it clear that the parties can add other clauses or additional safeguards, as long as they do not contradict the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects. Otherwise, though, it’s an “all or nothing” approach and organisations cannot “cherry pick” which clauses to include or not to include.
Whilst the EDPB’s opinion focussed on these particular SCCs, there are a number of interesting points in the commentary that give an indication of how the EDPB expects Article 28(3) clauses to be implemented more generally. Some of the lessons we can learn from these are as follows:
The EDPB makes it clear that clauses which simply restate the provisions of Article 28(3) will not be adequate; the contract should further stipulate and clarify how the provisions will be fulfilled. Organisations cannot simply copy and paste Article 28(3) into their contracts.
The EDPB’s opinion is that the controller should be able to give additional documented instructions throughout the duration of the contract. Provisions which attempt to make the instructions in the contract the “complete and final instructions” to the processor should be treated with care.
The EDPB makes it clear that, where a “general” authorisation to appoint sub-processors is given in the contract, this should be linked to a named list of sub-processors that is included as an appendix. A blanket authorisation to appoint any sub-processors, without tying this to a list of those appointed at the time of the contract, is unlikely to suffice.
Data subject rights
The EDPB suggests that, as well as the general obligation on the processor to assist the controller in responding to data subject rights requests, the contract should set out (in a separate appendix) the process to be followed if the processor receives such a request directly. Whilst this may not always need to form part of a data processing contract, it does highlight the importance of the parties discussing and agreeing in principle how those practical processes will work.
The EDPB clarifies that the processor’s obligation to notify breaches to the controller should not be linked to a severity threshold. It is for the controller to determine whether the breach has to be notified to the supervisory authority and/or to data subjects, so the processor should be obliged to notify all breaches it becomes aware of to the controller.
Deletion or return of data
Article 28(3)(g) imposes a clause requiring the processor to delete or return personal data at the end of processing, at the controller’s choice. The EDPB opinion suggests that it is acceptable to set out in the contract which of these choices is being made, rather than leaving both options open in the drafting.
Audit rights are often some of the most hotly negotiated data processing provisions. The EDPB’s opinion reiterates the need for audit rights over sub-processors to be detailed in the contract. Practically, this often presents a significant challenge where processors cannot back off the audit rights in their sub-processor contracts. The EDPB also reiterates the need for controllers to have the right to request measures to be taken following the results of any inspection.
There can never be a completely “one size fits all” approach to data processing clauses. The nature, extent and risk of data processing varies from contract to contract and there will be many arrangements that are not suitable for adoption of these (or any other) SCCs, particularly given the constraint of having to implement them “as is”. The SCCs may also have been influenced by Danish laws and customs that might not carry across to the UK and other jurisdictions, and other supervisory authorities (including the ICO) are, of course, entitled to issue alternative SCCs.
However, the SCCs are likely to be useful for small- and medium-sized enterprises in the UK, which may not have the resources to draft and negotiate their own clauses, and may also prove a useful way for organisations of any size to reduce the headache of extensive data processing negotiations. In any case, the EDPB’s views provide helpful insight into regulatory expectations of what Article 28(3) clauses should look like and may help to steer both parties towards a speedier conclusion in negotiations.