Whilst a lot of the focus has (understandably) been on the publication of the European Commission’s final ‘transfer’ standard contractual clauses (“EC Transfer SCCs”) on 4 June 2021, on that same day the Commission also published standard contractual clauses between controllers and processors (“EC Art. 28 SCCs”). They can be found here.
You can find our webinar and slides on the EC Transfer SCCs and EC Art. 28 SCCs here.
Whilst the EC Transfer SCCs plug a clear gap in that they address gaps in data transfer requirements, the EC Art. 28 SCCs cover ground which many companies will have addressed in their own ways: the requirements in Article 28(3) and (4) GDPR listing particular provisions which must be covered in the contract between a controller or processor. Or, to put it another way, the data processing agreement or ‘DPA’.
Under Article 28(7) GDPR the Commission is entitled to create standard clauses to meet those requirements and in doing so provide a template for the data processing agreement. The process involved input (in January) from both the European Data Protection Board and the European Data Protection Supervisor, after the draft was published for consultation in December 2020.
The EC Art. 28 SCCs will come into force from 27 June 2021.
To be clear, the EC Art. 28 SCCs are not intended to cover data transfer requirements.
Whilst in the past, an international transfer under standard contractual clauses involving a processor had to be supplemented by Article 28 compliant provisions, the new controller to processor EC Transfer SCCs incorporate GDPR compliant data processing terms, so when the controller to processor Transfer SCCs are used, EC Art. 28 SCCs (or any other form of additional data processing agreement) are not also required.
Unlike the EC Transfer SCCs, there is no imperative on companies to use the EC Art. 28 SCCs – they are entirely optional.
Many companies will have developed their own approaches to data processing agreements, be they template data processing agreements/ addenda, or standard data processing clauses within service agreements. Whilst these will vary in length, detail and content as they relate to the writers’ specific requirements, the EC Art. 28 SCCs provide a standard model that can be used off the shelf.
The Commission is not the first to provide such a template. Article 28(8) of the GDPR invited supervisory authorities in EU countries to create Article 28(3) and (4) data processing agreements and authorities in Germany (Baden-Wurttemberg) and Denmark have in the past taken up this invitation.
Companies have a choice: they can adopt the EC Art. 28 SCCs, or can continue to use their own Article 28-compliant data processing clauses.
A reminder that, since these clauses have been published after the UK left the European Union, they have no official standing in the UK (but that doesn’t mean that UK companies cannot choose to use them anyway if they would like).
The EC Art. 28 SCCs are presented as an annex which can be attached to commercial agreements. Clause 2 sets out the ‘invariability’ of the clauses – i.e. that they should not be modified except for adding information to the Annexes. Clause 2(b) clarifies that this does not prevent the Parties from including the clauses in a broader contract, but Parties will need to ensure that provisions in their contract do not contradict the clauses.
The best aspects of the November 2020 draft have been retained, and improvements to that draft have been made as well. Taking these points together:
Despite the clear improvement on the draft version, the final EC Art. 28 SCCs still have their issues:
Organisations will be used to negotiating either ‘pro-processor’ or ‘pro-controller’ approaches depending on where they sit in the supply chain. The EC Art. 28 SCCs don’t favour one party over the other wholesale, but do contain provisions which a controller or processor may prefer:
Generally, the gold-plating (another example is the processor’s obligation to inform the controller without delay if it becomes aware that data is inaccurate (Clause 8(c)(3))) will be more off-putting to processors than controllers.
Whilst they represent a useful tool, in practice many organisations may prefer to continue to use their own familiar templates, particularly if they take a more pro-processor or pro-controller approach.
Nevertheless, organisations may come across the EC Art. 28 SCCs in negotiations and it may be difficult to argue with provisions which the European Commission has itself prepared, even though they are non-mandatory.
The EC Art. 28 SCCs may also have value in providing a template against which data processing agreements can be compared and reviewed.
Given that the new EC Transfer SCCs include many of the provisions that the Commission has also included in its Article 28 SCCs, care will need to be take to integrate home made Article 28 data processing agreements with the EC Transfer SCC’s provisions.