The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a joint opinion on the European Commission Implementing Decision on Standard Contractual Clauses Between Controllers and Processors. The aim is to ensure consistency and a correct application of Article 28 GDPR as regards the presented Draft SCCs that could serve as standard contractual clauses in compliance with Article 28 (7) Regulation (EU) 2016/679 (GDPR) and Article 29 (7) Regulation (EU) 2018/1725 (EUDPR).
Main comments from the Opinion are listed below.
Comments on the Draft Decission
The current wording suggests that controllers and processors subjects to the GDPR and EUDPR can rely on these clauses. However, the intention of the ECommission seems to be to cover only relationships between these entities within the EU. Therefore, the view of both authorities is that it should be clarified whether entities established outside the EU could rely on these clauses.
In addition, the EDPB and the EDPS are of the view that these clauses could be used in other situations as well, not only to cover intra-EU situations, for instance, where one party is located in an adequate country. Moreover, if the purpose of these clauses is to cover transfers outside of the EU as well, then it should be clarified that they are not sufficient to meet all the requirements under the GDPR and the EUDPR such as rules related to international transfers.
Lastly, it should be made clear that when parties intend to benefit from SCCs both under Article 28 (7) GDPR and 46 (2) GDPR, then parties need to rely on transfer SCCs.
Main comments on the Annex to the Commission implementing decision
Purpose and scope (Clause 1 of the Draft SCCs)
The EDPB and EDPS are of the view that parties should be able to choose either references to the GDPR or the EUDPR depending on the relevant Regulation applicable to their situation.
Furthermore, the SCCs (and their Annexes) should require from parties to further detail and delimit the allocation of responsibilities and indicate clearly which processing is carried out by which processor(s) on behalf of which controller(s)and for which purposes.
Invariability (Clause 2 of the Draft SCCs)
To provide controllers and processors with legal certainty, the Commission should clarify the type of clauses it would consider as contradicting directly or indirectly SCCs. Such clarification could for instance indicate that clauses contradicting SCCs would be those that undermine or negatively impact the obligations prescribed in the SCCs or prevent compliance with the obligations contained in the SCCs.
Docking clause (Clause 5 of theDraft SCCs)
The draft SCCs allows third parties to accede to the SCCs. It should be made clear which processing is carried out by which processor(s) on behalf of which controller(s) and for which purposes in order to qualify the role of the any such new party properly.
The EDPB and EDPS are of the view that it should be clarified how the parties to the agreement could agree to the accession of new parties - whether it should be in writing or not, what would be the deadline to provide such agreement, the information needed before agreeing. Also, the EDPB and EDPS would welcome clarification as to whether and how such agreement has to be given by all the parties, irrespective of their qualification and role in the processing.
Obligations of the Parties (Clause 7 of the Draft SCCs)
The EDPB and EDPS are of the view that responsibilities of the controller as mentioned in Article 28(3) GDPR should be referenced to in a clause within the SCCs and further specified in Annex IV. Furthermore, since subsequent instructions could be given by the controller, they should be in line with the rights and responsibilities of the parties set out in the SCCs – which should be specified in the SCCs.
Additional language should be added to ensure consistency with the GDPR (see underlined): “The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest”.
Also, both authorities propose to the Commission to invite the parties to include provisions for consequences of the processor notifying the controller of an infringing instruction in the contract such as the possibility for the processor to suspend the implementation of the affected instruction until the controller confirms, amends or withdraws its instruction, a clause on the termination of the contract in case the controller persists with an unlawful instruction.
The EDPB and EDPS call on the Commission to specify in the Clause itself that the controller should be able to modify the choice whether to request erasure or return of the data, made at the time of signature of the contract, throughout the life cycle of the contract and upon termination.
The SCCs should be amended to include the controller’s obligations around security and require it to provide all useful information to the processor to comply with the relevant security requirements.
Instead of prescribing that the processor has maximum 48 hours to notify the controller of a data breach, the proposed change would require the parties to specify in the SCCs the timeframe agreed for such notification.
Current draft of the SCCs prescribes that the controller can rely on an independent auditor mandated by the processor when conducting audits. In order for this provision to be aligned with Article 28(3)(h) GDPR the suggestion is that the processor might propose an auditor, but the decision about the auditor has to be left to the controller. The authorities propose that the clause defining who bears the cost of the independent audit should be deleted as it is not regulated by the GDPR.
The EDPB and EDPS have invited the Commission to specify its position in Clause 7.7. and introduce a possibility for the processor and sub-processor to sign one single set of SCCs which aims at compliance with GDPR provisions on transfers and Article 28. It should be clarified whether parties then need to rely on this set of SCCs or rather on the transfer SCCs also providing safeguards under Article28 (3) and (4) of the GDPR. Since transfers to a third country or international organization could be safeguarded not only by employing SCCs, the authorities suggest using more generic clause than the present one to refer to the transfer tools under Article 46 GDPR.
Data Subject rights (Clause 8 of the Draft SCCs)
The EDPB and EDPS suggest to rename the clause to “Assistance to the data controller” to reflect the wording of the clause as it covers assistance with data subject rights, data breaches and providing appropriate security and organizational measures. As an alternative they could be split into two clauses to cover assistance with data subject rights in one, and the rest in the second clause.
In addition, it should be specified that the processor should respond to the data subject only on the instruction of the controller and that this should be described in Annex VII.
As the SCCs require the parties to name the Supervisory Authority, but they don’t take into account that there could be a plurality of SAs due to the number of parties to the agreement.
Also, the Commission should assess whether additional clauses are required to address situations where processors within the EU are subjects to the laws of third countries.
Annexes to the Draft SCCs
The EDPB and EDPS emphasize the importance of filling out Annexes appropriately to ensure that of responsibilities of the parties are clear – which party is processing personal for whom and for what purpose, and what instructions are applicable and who is allowed to give instructions. Unless the differences in different processing activities are limited and clearly mentioned in Annexes, Annexes should be completed so that details of each of the situations or relations are clearly mentioned.
You can access the Opinion by clicking here.
We have published an overview of these clauses back in November and the article can be accessed here.
Photo by Sora Shimazaki from Pexels.