• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

European Commission Publishes Draft ‘Article 28’ Standard Contractual Clauses

November 18, 2020 By Yung Shin Van Der Sype, Paul Greaves and Wim Nauwelaerts

In addition to issuing new (draft) standard contractual clauses for transferring personal data outside of the EEA, on November 12, the European Commission published a draft decision on standard contractual clauses between controllers and processors (‘Clauses’) for the matters referred to in Article 28(3) and (4) of Regulation (EU) 2016/679 (“GDPR”).

Article 28(3) and (4) GDPR require that processing by a (sub-)processor is governed by a contract that is binding on the processor with regard to the controller. Such contract needs to set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. Moreover, the contract must include a number of obligations incumbent on the (sub-)processor, such as the obligation to process personal data only on documented instructions from the controller, and to take all appropriate technical and organizational security measures to safeguard the data.

It is noteworthy that the use of the Clauses is not compulsory, and controllers and processors may still choose to negotiate individual contracts to satisfy the requirements of Article 28 GDPR. In the guidelines on the concepts of controller and processor in the GDPR[1],  released in draft form earlier this year by the European Data Protection Board (‘EDPB’), the EDPB clarifies that there is no obligation for controllers and processors to enter into a contract based on standard contractual clauses, nor is the use of standard contractual clauses necessarily preferred over negotiating an individual contract. The EDPB also recalls that standard contractual clauses allow a certain degree of flexibility (referring to Recital 109 GDPR), which is reflected in the Commission’s draft decision as well. Recital 6 of that draft decision explicitly states that the controller and processor should be free to include the Clauses in a wider contract, and to add additional clauses provided that they do not contradict, directly or indirectly, the Clauses or prejudice the fundamental rights or freedoms of data subjects.

In its guidelines, the EDPB further recommends that an Article 28 contract should not merely restate the provisions of the GDPR, but rather include specific, more detailed descriptions of  how the parties will meet the requirements set out in Article 28 GDPR. The draft Clauses provide a ready-to-use framework that helps controllers and processors comply with the EDPB’s recommendation.

Not all of the recommendations contained in the EDPB’s guidelines appear to be explicitly addressed in the Clauses. For example, the EDPB takes the position that an Article 28 contract ‘needs to include or reference’ an obligation on the processor to obtain the controller’s approval before making changes to the data security measures that are in place. The Clauses do not include such an obligation.

Another interesting feature of the Clauses is that they include seven annexes that will need to be completed by the parties with information and descriptions specific to the data processing in question.  The EDPB’s guidelines may provide valuable insight in how to best complete these annexes.

The Clauses are currently open for public consultation until 10 December 2020.

 

[1] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 2 September 2020, version for public consultation (consultation status: Closed).

Filed Under: Data Protection, International, Legislation, Regulation

About Yung Shin Van Der Sype

Yung Shin is an associate in the Technology & Privacy Group.

About Paul Greaves

Paul Greaves is an associate in the Brussels office and a member of the Privacy & Data Security Team. Paul’s privacy, information technology, and data protection practice includes a focus on compliance with the General Data Protection Regulation, ePrivacy rules, and cross-border data transfers.

[Read Bio]

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy & Data Security Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy