So much has been said about the new Cross-Border standard contractual clauses (SCC), which the EU Commission finally adopted on 4 June 2021 (see GT blog post from 9 June 2021), that it almost went unnoticed that the Commission published two different kinds of SCC that day. The other set of SCC (the DPA-SCC) addresses controller-processor data processing agreements (that do not necessarily involve cross-border transfers).
What are DPA-SCC, and to which situations do they apply?
As with the Cross-Border SCC, the EU Commission had published a draft of the DPA-SCC for public consultation in November 2020 (for details, see GT blog post from 18 November 2020). The background for the DPA-SCC, which do not have a predecessor under the EU data protection directive, is that Article 28(3) GDPR provides for several mandatory elements to be included in data processing agreements (DPAs) between a controller and a processor, and Article 28(7) GDPR permits the Commission to “lay down standard contractual clauses” for such DPAs. So that is what the new DPA-SCC are: They provide a template that standardizes the data-protection-related rights and obligations of the respective parties in DPAs and that ensures GDPR compliance if used correctly.
Note: The DPA-SCC are not mandatory, i.e., parties can use other provisions in their DPA if they comply with Article 28(3) GDPR, and also (and different from the Cross-Border SCC), the DPA-SCC may be amended. Also, while the Cross-Border SCC address data transfers to non-EU and non-EEA countries (third countries), including between controllers and processors, the DPA-SCC can only be used for data transfers inside the EU/EEA. In this respect, they follow a different approach and are shorter and simpler.
What are the key takeaways?
- Unlike with the Cross-Border SCC, the European Commission had not previously provided standard clauses for contractual relations between controllers and processors, so the DPA-SCC are a novelty (at the EU level) and not “merely” an update. While in the past, some national data protection laws provided for quite specific provisions to be included in DPAs, and some national data protection authorities had provided DPA templates, the DPA-SCC apply at the European level and thus no longer require an analysis of national decisions.
- Controllers and processors may use the new DPA-SCC to comply with Article 28 GDPR. Hence, the DPA-SCC are particularly convenient for companies with lower administrative capacities that have not yet established their own GDPR-compliant “standard” DPA.
- If, however, data is exported to third countries, the DPA-SCC alone are not sufficient to ensure that the processing is lawful. On the other hand, the Cross-Border SCC contain the required provisions of a DPA pursuant to Article 28 GDPR, so in these cases the use of the Cross-Border SCC is sufficient.
How are the DPA-SCC used?
The DPA-SCC consist of two parts, namely the contractual clauses themselves, which (subject to a few options) should not be modified, and four annexes, which need to be completed individually by the parties. Of course, other than with the Cross-Border SCC, parties do not have to use the DPA SCC for their data processing arrangements. However, the big advantage of using them is that the parties can be sure that their data processing agreement will be compliant with the requirements of Article 28 GDPR – a benefit that is lost if the “mandatory” parts are changed.
Annex I names the parties. Annex II includes descriptions of the respective processing (e.g., categories of data subjects and data processed). Note that the EU Commission removed some particularly far-reaching mandatory elements that were still included in the last draft version (e.g., “records(s) of processing” and “place of storage and processing of data”). Annex III lists the technical and organizational measures regarding data security implemented by the data processor. These need to be described in detail, not generically. A list of possible measures is provided, including, for example, pseudonymisation and encryption of personal data, measures for internal IT and IT security governance and management, and measures to protect personal data during transmission. Also, if sub-processors are used, specific technical and organisational measures to be taken by that sub-processor must be described. The selection, implementation, and description of such measures will require less preparatory work than is required for the Cross-Border SCC, as no third-country legislation and other risks that follow from a transfer of data to a third country need to be assessed. Annex IV names sub-processors, including the scope of their sub-processing.
What might cause confusion: The DPA-SCC apply both to data processing agreements that are subject to GDPR, as well as to data processing agreements subject to Regulation (EU) 2018/1725, which is “the GDPR for EU institutions”. Hence, there are a number of alternatives in the DPA-SCC that only apply if they are used by an EU institution (and otherwise need to be deleted).
When do the new DPA-SCC enter into force?
Like the Cross-Border SCC, the DPA-SCC have been applicable since 27 June 2021. As the DPA-SCC are not mandatory, existing (and future) DPAs remain effective if they meet the requirements under GDPR.