Overview of the European Commission Draft of Standard Contractual Clauses Between Controllers and Processors Located in the EU
The European Commission (EC) has published a draft of the new standard contractual clauses between controllers and processor located in the EU (Clauses) open for public feedback until December 10, 2020.
The purpose of these Clauses is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 (GDPR) and Article 29(3) and (4) of the Regulation (EU) 2018/1725. They may be used in contracts between a controller and a processor who processes personal data on its behalf, where the controller and the processor are subject to the GDPR or the Regulation (EU) 2018/1725.
The Clauses are not supposed to be modified, however, they can be included in a wider contract or added to other Clauses or additional safeguards, provided that the latter do not contradict, directly or indirectly, the standard contractual Clauses or prejudice the fundamental rights or freedoms of data subjects.
Any entity not a party to the Clauses may accede to the Clauses, either as a controller or a processor, with the agreement of all other parties. Such entity has to complete Annex I, Annex II and Annex III.
The processor shall process the personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject. Such instructions should be specified in Annex IV. Subsequent instructions should always be documented. The processor shall immediately inform the controller if the instructions given by the controller, in the opinion of the processor, infringe the GDPR and/or Regulation (EU) 2018/1725.
The processor is expected to process the personal data only for purposes stated in Annex II.
Processing of the personal data should not exceed the duration specified in Annex II. Depending on the choice of the controller, the processor will delete all the personal data and certify that to the data controller or return the personal data to the controller and delete existing copies, unless Union or Member state law require further storage of the personal data.
The data processor shall implement the technical and organisational measures specified in Annex III to ensure the security of the personal data.
In case of a data breach affecting personal data processed by the controller, the processor will notify the controller without undue delay and at the latest within 48h after having become aware of the breach. The processor should cooperate with the controller to manage the data breach properly. The notification to the controller should contain at least: the details of a contact point where more information concerning the personal data breach can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and data records concerned), its likely consequences and the measures taken or proposed to be taken to mitigate its possible adverse effects. Annex VII should contain all the elements to be provided by the data processor when assisting the data controller in the notification of a personal data breach to the competent supervisory authority.
The processor shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. Such staff should commit themselves to a confidentiality.
The processor should provide to the controller all information necessary to demonstrate compliance with the obligations set out in the Clauses and at the controller’s request. The controller may conduct the audit by itself, hire an independent auditor at its own cost or to rely on an independent audit mandated by the data processor.
If special categories of personal data are processed, specific restrictions and/or additional safeguards applied should be laid out in Annex V.
Sub-processors may be engaged after either obtaining prior explicit written authorization or in a case of a general written authorization. Annex VI should contain a list of names of approved or named sub-processors depending on whether the processor must obtain written authorization or just inform the controller about the names of sub-processors. In both cases period of time, before requesting approval or making changes in the list of sub-processors respectively, must be specified.
The processors should impose same obligations to sub-processors, as the ones imposed on the processor.
Any transfer of data to a third country or an international organisation by the data processor shall be undertaken only on the basis of documented instructions from the data controller in compliance with Chapter V of the GDPR.
If the processor uses sub-processor for carrying out specific processing activities in a third country, the processor and the sub-processor may use standard contractual clauses adopted by the EC provided the conditions for the use of those clauses are met.
The processor should promptly notify the data controller about any request received directly from the data subject. It shall not respond to that request itself, unless and until it has been authorised to do so by the data controller.
The processor has an obligation to assist the controller in fulfilling its obligations to respond to data subject request for the exercise of their rights.
Furthermore, the processor should assist the controller in ensuring compliance with the obligations to notify data breach to the competent authority (which should be named) and communicate without undue delay the personal data breach to the data subject (both when required under the GDPR and/or Regulation (EU) 2018/1725), carry out the DPIA where a type of the processing is likely to result in a high risk to the rights and freedoms of individuals and consult the competent supervisory authority where the processing would result in a high risk in the absence of the controls to mitigate such risk.
Annex VII should contain the appropriate technical and organizational measures by which the data processor is required to assist the data controller.
If the data processor is in breach of its obligations under the Clauses the controller may instruct the processor to temporarily suspend the processing of personal data until it complies with the Clauses or the contract is terminated.
The processor should inform the controller if it is unable to comply with the Clauses.
The data controller may terminate the Clauses where the processing has been suspended and the processor’s compliance with the Clauses has not been restored within one month, the processor is in substantial or persistent breach of the Clauses or it obligations under the GDPR or the Regulation (EU) 2018/1725, the data processor fails to comply with a binding decision of a competent court or the competent supervisory authority (name of the SA should be indicated) regarding its obligations under the Clauses, the GDPR or the Regulation (EU) 2018/1725
Annex I should contain identity and contact details of the data controllers and their representatives where applicable, and the processors.
Annex II should contain the purpose and duration of the processing, categories of data subjects and personal data processed, special categories of personal data (if applicable), records of processing and place of storage and processing of personal data.
Annex III should contain technical and organizational measures to ensure the security of personal data. Where necessary it should describe the requirements for pseudonymization and encryption of personal data; ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; users indentification and authorization; the protection of data during transmission; the protection of data during storage; physical security of locations at which personal data are processed; events logging; system configuration, including default configuration; internal IT and IT security governance and managements; certification/assurance of processes and products; data avoidance and minimisation; data quality; data retention; accountability; data portability and data disposal.
Annex IV should contain instructions from the data controller to data processor in regard with processing of personal data.
Annex V should contain specific restrictions and/or additional safeguards for processing of special categories of personal data such as access restrictions, keeping a record of access to the data, restrictions of the purposes for which the information may be processed, additional security measures (e.g. strong encryption for transmission), requirement of specialised training for staff allowed to access the information.
Annex VI should contain list of sub-processors.
Annex VII should contain appropriate technical and organisational measures by which the data processor is required to assist the data controller.
The draft of the Clauses and the implementing decision are available here. Feedback to the Clauses and the decision can be given here.
Written by
Stevan Stanojevic
Photo by Artem Podrez from Pexels.
Ideas expressed in this summary are personal views of the author and do not constitute legal advice.