Our Privacy, Cyber & Data Strategy Team answers five questions about the standard contractual clauses that aim to ensure compliance with Articles 28(3) and (4) of the General Data Protection Regulation.
Our Privacy, Cyber & Data Security Team previously reported on the “10 Key Takeaways from the European Commission’s New SCCs” for the transfer of personal data outside the European Economic Area (EEA). Together with the new EU standard contractual clauses for international data transfers, the European Commission also adopted standard contractual clauses between controllers and processors for the matters referred to in Articles 28(3) and (4) of the General Data Protection Regulation (GDPR).
Articles 28(3) and (4) require that processing by a (sub)processor is governed by a contract that is binding on the processor with regard to the controller. The contract needs to set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. Moreover, the contract must include a number of obligations incumbent on the (sub)processor, such as the obligation to process personal data only on documented instructions from the controller and to take all appropriate technical and organizational security measures to safeguard the data.
The standard contractual clauses between controllers and processors for the matters referred to in Articles 28(3) and (4) adopted by the European Commission aim to ensure compliance with the Articles 28(3) and (4) requirements in a standardized manner.
1. Are controllers and processors obliged to use the Article 28 clauses for their data processing agreements?
No, it is up to the controllers and processors to decide whether or not to use the Article 28 clauses, in whole or in part, to satisfy the Article 28(3) and (4) requirements. Controllers and processors may equally choose to negotiate an individual contract containing the compulsory elements set out in Article 28(3).
According to the European Data Protection Board, the use of standard contractual clauses is not necessarily preferred over negotiating an individual agreement. Nonetheless, standard contractual clauses may simplify the negotiations between controllers and processors over data processing agreements.
2. Do the Article 28 clauses ensure compliance with all Article 28(3) requirements?
Yes, if the annexes are properly completed by the parties. The purpose of the Article 28 clauses is to ensure compliance with Articles 28(3) and (4).
3. Can controllers and processors modify the Article 28 clauses?
No, the Article 28 clauses need to remain “standard.” Except for adding the required information to the annexes or updating information in them, controllers and processors are not allowed to modify the Article 28 clauses.
It is allowed, however, to include the Article 28 clauses in a broader contract and add other clauses or additional safeguards, provided that they do not contradict the Article 28 clauses or prejudice the fundamental rights and freedoms of data subjects.
4. Do the Article 28 clauses require additional language from controllers and processors?
Yes, controllers and processors that want to make use of the Article 28 clauses will need to complete up to four annexes:
5. Can third parties become a party to the Article 28 clauses?
In principle, yes. Clause 5, though optional, provides for a docking clause that allows third parties to become a party to the Article 28 clauses throughout the life cycle of the contract with the agreement of all parties.
Once the annexes are completed and signed, the acceding entity will become a party to the Article 28 clauses and be treated as such from that moment on.
Alston & Bird will continue to analyze the Article 28 clauses. We will publish additional work on this and related topics.
Download PDF of Advisory