Wait There’s More: EU Article 28 SCCs Have Now Also Been Finalized
Wait There’s More: EU Article 28 SCCs Have Now Also Been Finalized
Alongside finalized standard contractual clauses for transfers of personal data from the EU to third countries (“transfer SCCs” – see our alert for more information), the European Commission (EC) also issued on June 4, 2021, a finalized set of standard contractual clauses to serve as a model for data processing agreements between controllers and processors that are both located in the EU (“Art. 28 SCCs”) under Article 28 of the General Data Protection Regulation 2016/679 (GDPR). The Art. 28 SCCs are effective as of June 27, 2021.
Under the GDPR, controllers and processors are required to enter into a contract or other binding legal agreement that contains a number of elements listed in Article 28 of the GDPR. Although these elements are rather prescriptive, the GDPR has not imposed a specific template. However, it does set out that the EC or EU supervisory authorities (SAs) may issue their own template of standard contractual clauses. A number of SAs have already done so[1]. Now, the EC has come out with its own version, the Art. 28 SCCs.
The Art. 28 SCCs and transfer SCCs address different issues. The Art. 28 SCCs focus on ensuring that there is a data processing agreement between a controller and processor, where both parties are located in the EU. Also, the Art. 28 SCCs are optional, meaning that companies are not required to use them and can instead put in place their own Article 28 agreements.
In contrast, the transfer SCCs enable the transfer of personal data from an exporter located in the EU to an importer outside the EU. The transfer SCCs are not optional, in the sense that the parties cannot draft their own template transfer clauses. In addition, the parties will have to adapt their current agreements down the road (by December 27, 2022 at the latest) to incorporate the transfer SCCs, which is not the case for the Art. 28 SCCs. It is also important to remember that the transfer SCCs already incorporate the requirements of Article 28 of the GDPR. Therefore, the Art. 28 SCCs are only intended to be used where a cross-border transfer does not also take place alongside the processing, for which the transfer SCCs would otherwise be used.
Ultimately, the use of the terminology “standard contractual clauses” may be misleading as there is a risk of confusing these different sets of clauses. But, in short, you could say that the Art. 28 SCCs offer a standard for data processing agreements, while the transfer SCCs are the standard for transfer purposes.
The Art. 28 SCCs are certainly useful for companies that need an agreement off the shelf which they know will meet the conditions of Article 28 of the GDPR. That being said, a degree of customization is still needed. The Art. 28 SCCs contain four annexes to fill out, depending on the parties’ choices. In any case, even if companies choose to use their own template, the Art. 28 SCCs may help expedite negotiations, to the extent that the parties can reference or borrow language from the Art. 28 SCCs.
The Art. 28 SCCs contain a number of noteworthy elements, including:
Finally, being “standard” clauses, the Art. 28 SCCs are intended to satisfy requirements of Article 28 of the GDPR without requiring any further contractual assessment from the companies using them. At the same time, this is only true to the extent that the Art. 28 SCCs are used in an unaltered format. Organizations are permitted to add provisions (e.g., according to applicable law and jurisdiction) or safeguards to the Art. 28 SCCs, provided that they do not contradict the provisions of the SCCs or detract from individuals’ rights. Making additional changes or alterations will cause the Art. 28 SCCs to be an “ad hoc” Article 28 agreement, meaning that organizations are themselves responsible for ensuring that the agreement complies with Article 28 of the GDPR.
[1] See, e.g., Denmark, Slovenia and Lithuania at https://edpb.europa.eu/our-work-tools/our-documents/topic/standard-contract_en.
[2] Guidelines on Personal data breach notification under Regulation 2016/679, page 13.