The European Union’s General Data Protection Regulation (“GDPR”), arguably the most comprehensive – and complex – data privacy regulation in the world, goes into force on May 25, 2018. As retailers and other companies prepare, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, we are publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: If a service provider has already agreed to the controller-processor standard contractual clauses, are you required to put additional GDPR-related contractual provisions in place?

Answer: Yes. The GDPR imposes two requirements when a company (referred to in the GDPR as a “data controller”) uses a service provider (referred to in the GDPR as a “data processor”).

The first requirement is that if a data controller is based in the EEA and is transferring personal data to a processor that is based outside of the EEA, the parties must take steps to ensure that the jurisdiction in which the data is going has “an adequate level of protection.” When the GDPR refers to an “adequate level of protection” it is not talking about the security of the data. Instead, it is referring to the protections afforded by the laws of the country to which the data will be transferred.

Under the GDPR, a jurisdiction typically affords data an “adequate level of protection” if one of four factors exist.

  1. First, the EU Commission can evaluate the laws of the foreign country and find that they are per se similar in nature to the GDPR.
  2. Second, the entity that will be receiving the data can enter into “binding corporate rules.” These refer to internal policies and procedures that have been presented to, and approved by, European data protection authorities.
  3. Third, a legally binding and enforceable instrument can be created between governments to facilitate the data transfer. An example of such an instrument is the EU-US Privacy Shield framework that was negotiated, and approved by the EU Commission, in 2016.
  4. Fourth, and most common, is the use by the contracting parties of contract provisions that have been pre-approved by the EU Commission as contractually guaranteeing an “adequate level of protection.” While some companies integrate the standard contractual clauses into larger service provider agreements, other contracting parties execute the standard contractual clauses as a free-standing agreement.

The second requirement imposed by the GDPR is that every service provider agreement must contain thirteen specific contractual provisions. Given the popularity of the standard contractual clauses, and the fact that they have been pre-approved by the EU Commission, many contracting parties assume that the standard contractual clauses incorporate all of these thirteen requirements. Unfortunately, they do not. For a chart summarizing the thirteen requirements within Article 28 and indicating which of those requirements are satisfied, partially satisfied, or not addressed by, the standard contractual clauses, click here.