In addition to issuing new (draft) standard contractual clauses for transferring personal data outside of the EEA, on November 12, the European Commission published a draft decision on standard contractual clauses between controllers and processors (‘Clauses’) for the matters referred to in Article 28(3) and (4) of Regulation (EU) 2016/679 (“GDPR”).
Article 28(3) and (4) GDPR require that processing by a (sub-)processor is governed by a contract that is binding on the processor with regard to the controller. Such contract needs to set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. Moreover, the contract must include a number of obligations incumbent on the (sub-)processor, such as the obligation to process personal data only on documented instructions from the controller, and to take all appropriate technical and organizational security measures to safeguard the data.
It is noteworthy that the use of the Clauses is not compulsory, and controllers and processors may still choose to negotiate individual contracts to satisfy the requirements of Article 28 GDPR. In the guidelines on the concepts of controller and processor in the GDPR[1], released in draft form earlier this year by the European Data Protection Board (‘EDPB’), the EDPB clarifies that there is no obligation for controllers and processors to enter into a contract based on standard contractual clauses, nor is the use of standard contractual clauses necessarily preferred over negotiating an individual contract. The EDPB also recalls that standard contractual clauses allow a certain degree of flexibility (referring to Recital 109 GDPR), which is reflected in the Commission’s draft decision as well. Recital 6 of that draft decision explicitly states that the controller and processor should be free to include the Clauses in a wider contract, and to add additional clauses provided that they do not contradict, directly or indirectly, the Clauses or prejudice the fundamental rights or freedoms of data subjects.
In its guidelines, the EDPB further recommends that an Article 28 contract should not merely restate the provisions of the GDPR, but rather include specific, more detailed descriptions of how the parties will meet the requirements set out in Article 28 GDPR. The draft Clauses provide a ready-to-use framework that helps controllers and processors comply with the EDPB’s recommendation.
Not all of the recommendations contained in the EDPB’s guidelines appear to be explicitly addressed in the Clauses. For example, the EDPB takes the position that an Article 28 contract ‘needs to include or reference’ an obligation on the processor to obtain the controller’s approval before making changes to the data security measures that are in place. The Clauses do not include such an obligation.
Another interesting feature of the Clauses is that they include seven annexes that will need to be completed by the parties with information and descriptions specific to the data processing in question. The EDPB’s guidelines may provide valuable insight in how to best complete these annexes.
The Clauses are currently open for public consultation until 10 December 2020.
[1] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 2 September 2020, version for public consultation (consultation status: Closed).