EU GDPR: Standard Contractual Clauses for Controllers and Processors

EU GDPR: Standard Contractual Clauses for Controllers and Processors

The European Commission, through its Implementing Decision (EU) 2021/915, adopted on  June 4, 2021, a set of Standard Contractual Clauses to be used between controllers and processors under Article 28(7) of General Data Protection Regulation (EU) 2016/679 (GDPR) and Article 29(7) of Regulation (EU) 2018/1725.

It should be noted that the European Commission has adopted these Standard Contractual Clauses to fulfill the GDPR requirements, according to which “in absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.

Additionally, appropriate safeguards may be provided, without requiring any specific authorization from a supervisory authority, by – among others – standard data protection clauses adopted by the European Commission.


Focusing only on the GDPR, Article 1 of the new Implementing Decision declares the conformity of the Standard Contractual Clauses with Article 28(3) and (4) of the GDPR.

· According to Article 28(3), processing personal data shall be governed by a contract or other legal act under EU or Member State law, which is binding on the processor with regard to the controller. It also sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller(European Commission, 2021);

· Article 28 (4) deals with the case in which a processor engages another processor for carrying out specific processing activities on behalf of the controller, by providing additional requirements.


Article 2 of the Commission Implementing Decision states that the Standard Contractual Clauses may be used in contracts between a controller and a processor who processes personal data on behalf of the controller.

Article 3 adds that the Commission shall evaluate the practical application of such contractual clauses based on all available information as part of a periodic evaluation.

The mentioned clauses are listed in the Annex to the Commission Implementing Decision and are divided into three sections.

Section I includes five clauses, namely:

· Clause 1 – “Purpose and Scope”

· Clause 2 – “Invariability of the Clauses”

· Clause 3 – “Interpretation”

· Clause 4 – “Hierarchy”

· Clause 5 (optional) – “Docking clause”


Section II refers to the “Obligations of the Parties” and provides for the following clauses:

· Clause 6 – “Description of processing(s)”

· Clause 7 – “Obligations of the Parties”, subdivided in “7.1. Instructions”, “7.2. Purpose limitation”, “7.3. Duration of the processing of personal data”, “7.4. Security of processing”, “7.5. Sensitive data”, “7.6. Documentation and compliance”, “7.7. Use of sub-processors” and “7.8. International transfers”

· Clause 8 – “Assistance to the controller”

· Clause 9 – “Notification of personal data breach”, including “9.1. Data breach concerning data processed by the controller” and “9.2. Data breach concerning data processed by the processor”

Section III is dedicated to “Final Provision”:

· Clause 10 – “Non-compliance with the clauses and termination”


Finally, 4 Annexes accompany the Implementing Decision, namely “Annex I: List of Parties”, “Annex II: Description of the Processing”, “Annex III: “Technical and Organisational Measures including Technical and Organisational Measures to ensure the Security of the Data” and “Annex IV: List of Sub-processors”.


Davide Giacomello

Regulatory Affairs Department

22.11.2021


References:

EDPB. (2021).EDPB – EDPS Joint Opinion 1/2021 on the European Commission’s Implementing Decision on standard contractual clauses between controllers and processors. Retrieved on 22/11/2021 from https://edpb.europa.eu/sites/default/files/files/file1/edpb-edpsjointopinion01_2021_sccs_c_p_en.pdf#:~:text=Article%2028%20%287%29%20GDPR%20provides%20that%20the%20Commission,accordance%20with%20the%20examinationprocedure%20referredto%20in%20Article%2093%282%29.

EUR-Lex. (2021). Commission Implementing Decision of 4 June 2021. Retrieved on 22/11/2021 from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0915&from=EN

EUR-Lex. (2016).Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. Retrieved on 22/11/2021 from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

European Commission. (2021). Standard contractual clauses for controllers and processors in the EU/EEA. Retrieved on 22/11/2021 from https://ec.europa.eu/info/law/law-topic/data-protection/publications/standard-contractual-clauses-controllers-and-processors_en