The European Commission recently released the draft standard contractual clauses between controllers and processors in the European Economic Area - i.e., draft data processing provisions in line with Article 28 of the GDPR (the “Draft Art. 28 SCCs”) which are open for consultation until early December. These Draft Art. 28 SCCs were announced on the same day that the European Commission released the draft standard contractual clauses for the transfer of personal data to third countries (further details of which can be read here).
Background: Article 28
Article 28 of the GDPR governs the relationship between a controller and a processor and specifically, Articles 28(3) and 28(4) together set out the details and provisions which must be included in all contracts between controllers and processors when seeking to undertake relevant processing activities. The details required include, for example, a description of the purpose and duration of the processing, and details of the technical and organisational measures deployed to ensure security of the data. The provisions required include, amongst other things, obligations on the processor to: (i) process personal data only on the documented instructions of the controller; (ii) implement appropriate security measures; and (iii) provide assistance to the controller in complying with its obligations under the GDPR, such as data subject rights and notification of data breaches.
In preparing the Draft Art. 28 SCCs, the European Commission exercised its right under Article 28(7) of the GDPR. The Draft Art. 28 SCCs are intended to act as a standard form data processing agreement which contains the details of processing and complies with the minimum contractual requirements under Article 28 GDPR (as discussed above). It is important to note that the Draft Art. 28 SCCs will be available for use at the discretion of organisations. It will not be mandatory to use these Draft Art. 28 SCCs for all controller-processor relationships. Organisations will be permitted to continue to use their own standard form data processing agreements, and, where appropriate, organisations could look to the Draft Art. 28 SCCs for guidance on, or examples of, the provisions required by Article 28. Organisations should, at all times, ensure that all controller-processor data processing agreements comply with the minimum contractual standards required by Article 28 and contain an appropriate level of detail similar to that reflected in the Draft Art. 28 SCCs.
Given the form of Article 28 and the time passed since the GDPR was implemented, many standard form data processing agreements have been prepared and market practices developed with regard to, for example, the commercial application of the provisions required by Article 28. Further, the Draft Art. 28 SCCs do not add much to what we already know about the application of Article 28 GDPR. That said, by issuing the Draft Art. 28 SCCs, the European Commission is demonstrating the minimum level of detail it expects to see in data processing agreements between controllers and processors, both with respect to the details of processing activities and the contractual obligations. Note that certain of the language used is very similar, if not the same, to that used in the standard contractual clauses for data transfers.
As noted, the Draft Art. 28 SCCs are open for consultation until early December. At the time of writing, it is difficult to predict the degree to which the Draft SCCs will be further amended. However, in our view, based on the similarities with the standard contractual clauses for data transfers, any changes proposed will likely be considered in line with the standard contractual clauses for data transfers.