Whilst a lot of the focus has (understandably) been on the publication of the European Commission’s final ‘transfer’ standard contractual clauses (“EC Transfer SCCs”) on 4 June 2021, on that same day the Commission also published standard contractual clauses between controllers and processors (“EC Art. 28 SCCs”). They can be found here.
You can find our webinar and slides on the EC Transfer SCCs and EC Art. 28 SCCs here.
What do the EC Art. 28 SCCs cover?
Whilst the EC Transfer SCCs plug a clear gap in that they address gaps in data transfer requirements, the EC Art. 28 SCCs cover ground which many companies will have addressed in their own ways: the requirements in Article 28(3) and (4) GDPR listing particular provisions which must be covered in the contract between a controller or processor. Or, to put it another way, the data processing agreement or ‘DPA’.
Under Article 28(7) GDPR the Commission is entitled to create standard clauses to meet those requirements and in doing so provide a template for the data processing agreement. The process involved input (in January) from both the European Data Protection Board and the European Data Protection Supervisor, after the draft was published for consultation in December 2020.
The EC Art. 28 SCCs will come into force from 27 June 2021.
How do they interact with the EC Transfer SCCs?
To be clear, the EC Art. 28 SCCs are not intended to cover data transfer requirements.
Whilst in the past, an international transfer under standard contractual clauses involving a processor had to be supplemented by Article 28 compliant provisions, the new controller to processor EC Transfer SCCs incorporate GDPR compliant data processing terms, so when the controller to processor Transfer SCCs are used, EC Art. 28 SCCs (or any other form of additional data processing agreement) are not also required.
Do you need to use them?
Unlike the EC Transfer SCCs, there is no imperative on companies to use the EC Art. 28 SCCs – they are entirely optional.
Many companies will have developed their own approaches to data processing agreements, be they template data processing agreements/ addenda, or standard data processing clauses within service agreements. Whilst these will vary in length, detail and content as they relate to the writers’ specific requirements, the EC Art. 28 SCCs provide a standard model that can be used off the shelf.
The Commission is not the first to provide such a template. Article 28(8) of the GDPR invited supervisory authorities in EU countries to create Article 28(3) and (4) data processing agreements and authorities in Germany (Baden-Wurttemberg) and Denmark have in the past taken up this invitation.
Companies have a choice: they can adopt the EC Art. 28 SCCs, or can continue to use their own Article 28-compliant data processing clauses.
A reminder that, since these clauses have been published after the UK left the European Union, they have no official standing in the UK (but that doesn’t mean that UK companies cannot choose to use them anyway if they would like).
How do they work?
The EC Art. 28 SCCs are presented as an annex which can be attached to commercial agreements. Clause 2 sets out the ‘invariability’ of the clauses – i.e. that they should not be modified except for adding information to the Annexes. Clause 2(b) clarifies that this does not prevent the Parties from including the clauses in a broader contract, but Parties will need to ensure that provisions in their contract do not contradict the clauses.
What is good about them?
The best aspects of the November 2020 draft have been retained, and improvements to that draft have been made as well. Taking these points together:
- Adding Parties. Clause 5 includes a docking clause providing a simple mechanism to add new Parties, either as controllers or processors, simply by updating and signing the list of Parties in Annex 1. Care will need to be taken in relation to this mechanism where the clauses are installed as an annex or schedule to a wider services agreement which cross references them.
- Fewer Annexes. The number of Annexes has been reduced from seven in the draft, to four in the final version (I: Parties, II: Description of the processing, III: TOMs, IV: Sub-processors), although to some degree this has been achieved by merging annexes, so the document still needs a lot of detail to be added to its annexes.
- Erasure/ Return. In the draft, the Parties had to agree at the outset on whether the data would be returned or erased at the end of the processing. In the final version, this decision does not need to be cemented at the beginning of the relationship – the choice remains at the option of the controller throughout.
- Drafting improvements. Drafting has generally been improved. For example, the final version removes a requirement to predict in the clauses the supervisory authorities who will oversee certain issues. Furthermore, multiple (and inconsistent) breach notification provisions have been amalgamated (but see more on this below).
What are their flaws?
Despite the clear improvement on the draft version, the final EC Art. 28 SCCs still have their issues:
- Data Breaches. Clause 9 makes a potentially confusing distinction between data breaches concerning data processed by the controller, and data breaches concerning data processed by the processor. For the former, the processor is not under an obligation to notify the breach to the controller. Whilst there is some logic to this approach (presumably it envisages a scenario in which the controller becomes aware of a breach which the processor is in no position to identify), it is not entirely clear when each scenario is meant to apply: what happens, for example, when both Parties are processing the data?
- Sub-Processors. Clause 7.7 deals with the appointment of sub-processors, providing two options: (1) prior specific authorisation to each new sub-processor, or (2) general written authorisation to sub-processors from an agreed list. Neither option provides a particularly high degree of flexibility, which is unsurprising. However, more troubling is that neither option sets out what will happen where the controller objects to a new sub-processor. In many commercial data processing agreements, the contract will include provisions for full or part termination in these circumstances, or at least an obligation generally to negotiate a solution.
- Gold Plating. In places the EC Art. 28 SCCs go beyond what the law strictly requires. For example Clause 7.6(e) compels both Parties to disclose specific compliance documentation, including the results of audits, available to the data protection authority on request.
- TOMs. Annex III contains space for the Parties to insert agreed technical and organisational security measures. The explanatory note in Annex III indicates that a high standard of detail will be required and that a generic description will not be sufficient. A long list of examples of possible measures is included, listing measures such as protection of data during transmission. That said, these are still only examples and the Parties are free to agree their own security standards. The guidance on this within the clauses does, however, indicate the increased focus on technical measures as a key privacy safeguard.
Are the clauses better for processors or for controllers?
Organisations will be used to negotiating either ‘pro-processor’ or ‘pro-controller’ approaches depending on where they sit in the supply chain. The EC Art. 28 SCCs don’t favour one party over the other wholesale, but do contain provisions which a controller or processor may prefer:
- Clauses 7.6(d), 8, and 10(d) are silent on the cost of certain processor support (e.g. assisting the controller). Typically where the contract is silent, this has been taken to mean that the processor should bear any additional cost of providing support. This can be an issue for processors if the cost is not built into the contract price.
- Clause 9.2 does not contain a specific time-frame (e.g. 48 hours as in the Commission’s November draft) for notifying the controller of data breaches. This is positive for the processor who is more free to determine what constitutes ‘without undue delay’.
- Clause 7.6(c) is another positive for processors, as it indicates that certifications can be taken into account in meeting audit requirements.
- Clauses 7.7(b) and (c) contain reasonable sub-processor flow-down provisions – the EC Art. 28 SCCs must be flowed down to sub-processors “in substance” but not in exactly the same form.
Generally, the gold-plating (another example is the processor’s obligation to inform the controller without delay if it becomes aware that data is inaccurate (Clause 8(c)(3))) will be more off-putting to processors than controllers.
So, should you use them?
Whilst they represent a useful tool, in practice many organisations may prefer to continue to use their own familiar templates, particularly if they take a more pro-processor or pro-controller approach.
Nevertheless, organisations may come across the EC Art. 28 SCCs in negotiations and it may be difficult to argue with provisions which the European Commission has itself prepared, even though they are non-mandatory.
The EC Art. 28 SCCs may also have value in providing a template against which data processing agreements can be compared and reviewed.
Given that the new EC Transfer SCCs include many of the provisions that the Commission has also included in its Article 28 SCCs, care will need to be take to integrate home made Article 28 data processing agreements with the EC Transfer SCC’s provisions.