The European Fee publishes draft customary contractual clauses for Article 28 information processing agreements
On November 12, 2020, in the shadow of the new standard contractual clauses for data transfers to recipients outside the European Economic Area (“EEA”), the European Commission also adopted draft standard contractual clauses that are to apply between controllers and processors in the US EEA (“EEA- Controller Processor SCCs “).
The EEA Controller Processor SCCs are designed to assist organizations that rely on third parties in the EEA to perform certain data processing activities on their behalf (i.e. “Data Processors”) in order to meet their obligations under the General Data Protection Regulation of the EU (“GDPR”) . In particular, Article 28 of the GDPR requires controllers to enter into an agreement (or other legal act) when outsourcing data processing activities to a data processor and sets out the data protection obligations that must be covered in such a data processing agreement. These data protection obligations include obligations of the data processor in relation to: (1) compliance with the processing instructions of the data controller; (2) return or deletion of data at the end of the data processing services; (3) information security; (4) Support of the data controller in fulfilling his obligations under the GDPR, e.g. B. in relation to requests for data subject rights, data breach notification and data protection impact assessments; (5) Allow and support audits carried out by the controller or another auditor; and (6) involvement of subprocessors.
With the EEA Controller Processor SCCs, the European Commission would like to provide organizations that are subject to the GDPR with a standard data processing agreement that meets the requirements set out in the GDPR in accordance with Article 28 (7) of the GDPR. In addition to the data protection provisions set out in the main body of the contractual clauses, the EEA Controller Processor SCCs contain a number of annexes that must be completed by the parties, including a detailed description of the: data processing activities; Information security measures; Instructions, special restrictions and / or safeguards by the controller with regard to the processing of sensitive personal data; subprocessors involved in the data processing activities; and measures with which the data processor must support the data controller.
The use of ECC Controller Processor SCCs is not mandatory and organizations can still use their own custom data processing agreements to meet their obligations under Article 28 of the GDPR. However, the SCCs for EEA controllers and processors give a clear signal of the level of detail that the European Commission expects in these data processing agreements.
The drafts of the EEA Controller Processor SCCs can be publicly consulted until December 10, 2020. Feedback can be given here.