Along with the adoption of the new transfer standard contractual clauses ("SCCs") on 4 June 2021 (which we discussed in an earlier client update1), the European Commission ("Commission") also adopted the controller-processor Article 28 SCCs ("Processor SCCs")2. The Processor SCCs are likely to represent the market standard for compliance with Article 28 of Regulation EU/2016/679 ("GDPR") in the coming years.
Article 28 GDPR
Where a data processor carries out processing on behalf of a data controller, Article 28 of GDPR requires the parties to enter into a written agreement which imposes specific obligations on the data processor. The Processor SCCs can now be used in data processing agreements to ensure complete compliance with Article 28.
Purpose and Scope
The purpose of the Processor SCCs is to ensure compliance with either Article 28 (3) and (4) of GDPR, or Article 29 (3) and (4) of Regulation EU/2018/1725 ("Regulation on the Processing of Personal Data by European Institutions").
They set out the data protection obligations that a data controller must impose on the data processor under Article 28 of GDPR.
The Processor SCCs also set out the following four annexes that must be completed by the parties:
- Annex I – a list of the parties;
- Annex II – description of the processing;
- Annex III – technical and organisational measures including technical and organisational measures to ensure the security of the data; and
- Annex IV – a list of the sub-processors.
Entry into Force
The Processor SCCs came into force on 27 June 2021.
The parties cannot modify the Processor SCCs, except for adding information to the annexes. However, the parties can include the clauses in a broader contract and can add other clauses or safeguards so long as they do not conflict with the Processor SCCs or detract from the fundamental rights and freedoms of data subjects.
Clause 4 stipulates that where there is a contradiction between the Processor SCCs and any related agreements, the Processor SCCs will prevail.
The Processor SCCs may be used by multiple parties. Clause 5 provides for an optional docking clause which enables third parties to accede to the Processor SCCs without needing to conclude separate contracts. This will prove to be useful for complex, multi-party collaborations or for use within corporate groups.
Assistance to the Data Controller
Clause 8 requires the data processor to provide assistance to the data controller.
The data processor must:
- notify the data controller of any request it has received from a data subject;
- assist the data controller in fulfilling its obligations to respond to data subject requests; and
- assist the data controller in ensuring compliance with the obligation: (i) to carry out a data protection impact assessment ("DPIA"); (ii) to consult the supervisory authorities prior to processing where a DPIA indicates a high risk; (iii) to ensure all personal data is accurate; and (iv) under Article 32 of GDPR or Articles 33, 36 and 38 of the Regulation on the Processing of Personal Data by European Institutions.
Personal Data Breach Notification
Clause 9 requires the data processor to assist the data controller when it experiences a personal data breach.
Where the breach concerns data processed by the data controller, the data processor must assist the data controller to:
- notify the competent supervisory authority without undue delay;
- obtain information relating to (i) the nature of the personal data such as the categories and number of data subjects and personal data records; (ii) the likely consequences of the breach; and (iii) the measures taken (or proposed) to address the breach; and
- communicate without undue delay the data breach to the data subject.
Where the breach concerns data processed by the data processor, it is required to notify the data controller of the breach without undue delay.
Further, the Processor SCCs allow for the parties to set out any other elements to be provided by the data processor when assisting the data controller in the compliance of its obligations.
Non-Compliance and Termination
Clause 10 allows the data controller to instruct the data processor to suspend processing until it complies with the Processor SCCs. Data processors are required to notify the data controller when it is unable to comply with the clauses.
The data controller is also entitled to terminate the contract if:
- the processing has been suspended due to non-compliance and compliance has not been restored within a reasonable period of time or within one month following the suspension;
- the data processor is in substantial or persistent breach of the Processor SCCs, or obligations under GDPR and / or Regulation on the Processing of Personal Data by European Institutions; or
- the data processor fails to comply with a competent court or supervisory authority binding decision on its obligations.
The data processor can terminate the contract if, after having informed the data controller that its instructions infringe clause seven legal requirements, the controller nevertheless insists on compliance with its instructions.
Under option one, the data processor cannot engage a sub-processor without the controller's prior specific authorisation.
Under option two, the data processor has the data controller's general authorisation for the engagement of sub-processors from an agreed list.
Data processors are also required to include a third-party beneficiary clause in its contracts with sub-processors. This will allow the data controller to terminate the sub-processor agreement and to instruct the sub-processor to erase or return the personal data if the data processor becomes insolvent or ceases to exist.
Businesses should ensure that when they are processing personal data (or third parties are processing personal data on their behalf) that Article 28 clauses are in place. There is no obligation to use the Processor SCCs. Adopting them will, however, bring benefits in the form of reduced negotiation time and a presumption of compliance with Article 28 of GDPR.
How Maples Group Can Help
We can assist with preparation of Processor SCCs and your approach to demonstrating GDPR compliance.
For further information, please liaise with your usual Maples Group contact or any member of the Maples Group Data, Commercial & Technology team below.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.