On June 4th 2021, the European Commission adopted revised standard contractual clauses for international personal data transfers (the “New SCCs”). The New SCCs were published officially on June 7th this year.
The New SCCs are modular and based on the position of the parties to the transfer under the GDPR, can apply between the following parties:
Module (1) controller to controller;
Module (2) controller to processor;
Module (3) processor to processor; and –
Module (4) processor to controller.
This is the fifth post in a series about practical aspects related to the implementation of the New SCCs. In this post, we will focus on whether the New SCCs will replace the existing data protection agreements (“DPA”) between controllers and processors as required under Article 28 to the GDPR.
The question we raise is whether using DPAs in the New SCCs era between a controller and a processor, or a processor and a sub-processor (i.e. modules (2) and (3)) still adds value to companies.
The New SCCs Include the Statutory GDPR Requirements
Articles 28(3) and (4) of the GDPR require controllers (or processors) to enter into DPAs with processors (or with ‘other processors’) who process personal data on behalf of the controller, regardless of the processors’ (and ‘other processors’) place of establishment and the applicability of the GDPR to their data processing activities.
The GDPR provides an exhaustive list of legal issues which should be handled in the form of DPAs, that every privacy practitioner already knows by heart. However, Article 28(7) of the GDPR may have skipped the attention. Under that section, the EU Commission may lay down standard contractual clauses for the matters which are covered by Articles 28(3) and (4) to the GDPR. This is what the EU Commission has done recently.
Recital 9 of the European Commission’s Implementing Decision regarding the New SCCs states that the New SCCs may fulfil the requirements of Articles 28(3) and (4) of the GDPR where the processing of the personal data involves data transfers:
- from controllers subject to the GDPR to processors outside its territorial scope; or –
- from processors subject to the GDPR to sub-processors outside its territorial scope.
Obviously, since the implementation of the New SCCs is not required when transferring personal data within the EEA, Recital 9 emphasizes that the processing should be by a recipient outside of the territorial scope of the GDPR in order to use the New SCCs instead of the DPAs. However, the novel aspect of the New SCCs is that unlike their previous versions, the New SCCs may be used by controllers or processors who are subject to the GDPR although not established within the EEA, by virtue of Article 3(2) to the GDPR.
Would Replacing the DPA With the New SCCs be the Right Thing to Do?
DPAs are more than just DPAs. Although Article 28 to the GDPR enumerates the issues which should be included under a DPA, controllers are using DPAs as a mechanism to reflect their privacy-related expectations from their processors. In parallel, many processors prepare their own versions of DPAs as a benchmark to their compliance with the GDPR and their care to privacy, to provide the necessary comfort to their clients.
Controllers and processors are also encouraged to do so by the European Data Protection Board. In the EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.0, which was published on July 7, 2021 (after the adoption of the New SCCs), the EDPB is in the position that the DPAs should not “merely restate the provisions of the GDPR”, and they “should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement” (i.e. DPA).
Evidently, one can find different variations of DPAs, that may include clauses which are not mandatory, such as lawfulness of the processing, expanded assistance duties and the identity of the responsible party for paying the derived costs, additional limitations on personnel, limitation of liability, implementation of specific security measures and required standard certifications, handling procedures of personal data breaches, deletion mechanisms, etc.
Additionally, Recital 3 of the European Commission’s implementing decision regarding the New SCCs mentions exporters’ and importers’ ability to include the New SCCs in a wider contract and to add any clauses on condition that they do not contradict the New SCCs and the fundamental rights and freedoms of data subjects, directly or indirectly. In our previous posts, we have reviewed the wide room for discretion that the New SCCs leave in relation to specific arrangements.
Standard Statutory DPAs
We note that on the same day of the publication of the New SCCs, the EU Commission has published its new version for a standard DPA for controller-processor (or processor-‘other processor’) engagements which do not involve data transfer.
These standard contractual clauses cover the mandatory requirements of Article 28 to the GDPR. However, they also cover additional legal issues that the parties to the agreement may not want to include:
- The obligation of the processor to apply specific restrictions or additional safeguards, if processing involves special categories of personal data.
- The obligation of the processor to agree to a third-party beneficiary clause with the sub-processor, which may be executed if the processor has factually disappeared, ceased to exist in law or has become insolvent.
- The processor may transfer data to a non-EEA and not adequate country only following a documented instruction of the controller, under Union or Member State law or using the New SCCs. In any case, this should be done in accordance with the GDPR relevant provisions.
- The obligation of the processor to ensure that personal data is accurate and up to date, as part of its assistance obligations to the controller.
- Implementation of distinction between personal data breach which is under the controller’s or the processor’s responsibility, and a requirement to include appropriate technical and organizational measures by which the processor is required to assist the controller when a personal data breach occurs.
- Non-compliance with these clauses and termination provision.
To conclude, under the implementing decision of the New SCCs, using them is sufficient and replaces the need for a DPA under Articles 28(3) and (4) to the GDPR, in data transfer cases. However, in practice, DPAs go beyond the obligations of Article 28(3) and (4) and are still the main contractual instrument for engagements that do not require data transfer.
*Read our previous posts (first, second, third and forth) on the New SCCs, discussing the operational and financial aspects of Clause 15, the warranty and assessment obligations under Clause 14, the notification obligations between the parties of the New SCCs, to supervisory authorities and data subjects.
*This post does not constitute a legal opinion.