FAQ – Standard contractual clauses for controllers and subcontractors in the EU / EEA | Alston & Bird

0


On June 4, 2021, the European Commission adopted standard contractual clauses between data controllers and processors for the matters referred to in article 28, paragraphs 3 and 4, of Regulation (EU) 2016/679 (“RGPD “) (” Article 28 clauses “).

Article 28 (3) and (4) GDPR requires that the processing by a (sub) processor is governed by a contract which binds the processor with regard to the controller. This contract must define the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects as well as the obligations and rights of the controller. In addition, the contract must include a number of obligations incumbent on the (sub) processor, such as the obligation to process personal data only on documented instructions from the controller, and to take all technical security measures and appropriate organizational structures to protect data.

Our Privacy, Cybersecurity and Data Security team answers some frequently asked questions about standard contractual clauses for controllers and contractors in the European Union / European Economic Area below:

  • Are data controllers and processors obliged to use the clauses of Article 28 for their data processing agreements?
  • Do the clauses of Article 28 guarantee compliance with all the requirements of Article 28 (3) and (4) of the GDPR?
  • Can data controllers and processors modify the clauses of Article 28?
  • Do the clauses of Article 28 require additional language from controllers and processors?
  • Can third parties become party to the clauses of article 28?
  1. Are data controllers and processors obliged to use the clauses of Article 28 for their data processing agreements?

No, it is up to controllers and processors to decide whether or not to use the clauses of Article 28, in whole or in part, to meet the requirements of Article 28 (3) and (4) GDPR. Data controllers and processors can also choose to negotiate an individual contract containing the mandatory elements set out in Article 28 (3) of the GDPR.

According to the European Data Protection Board (“EDPB”), the use of standard contractual clauses is not necessarily preferred over the negotiation of an individual agreement. However, standard contractual clauses can simplify negotiations between data controllers and processors regarding data processing agreements.

  1. Do the clauses of Article 28 guarantee compliance with all the requirements of Article 28 (3) of the GDPR?

Yes, if the annexes are duly completed by the parties. The objective of the clauses of article 28 is to guarantee compliance with article 28 (3) and (4) of the GDPR.

  1. Can data controllers and processors modify the clauses of Article 28?

No, the clauses of article 28 must remain “standard”. With the exception of adding the required information to the appendices (see below) or updating the information they contain, data controllers and processors are not authorized to modify the clauses of article 28.

It is, however, permissible to include the clauses of article 28 in a larger contract and to add other additional clauses or guarantees provided that they do not contradict the clauses of article 28 or that ‘they do not infringe the fundamental rights and freedoms of the persons concerned.

  1. Do the clauses of Article 28 require additional language from data controllers and processors?

Yes, data controllers and processors who wish to use the clauses of Article 28 will have to complete up to four annexes:

  • Annex I. “List of parties” to describe the identity and contact details of data controllers and processors who have accepted the clauses of article 28.
  • Annex II. “Description of processing” to provide details of processing activities in terms of categories of data subjects whose personal data is processed, categories of personal data processed, sensitive data processed (if any) and restrictions and safeguards applied, the nature of processing, the purposes for which the personal data are processed on behalf of the controller, the duration of the processing, as well as the purpose, nature and duration of processing by (sub) processors.
  • Annex III. “Technical and organizational measures, including technical and organizational measures to ensure data security” to describe concretely, and not in a generic way, the technical and organizational measures implemented by the subcontractor (s) to ensure a level of appropriate security, taking into account the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.
  • Annex IV. “List of subcontractors” in case the parties opt for the specific authorization of subcontractors.
  1. Can third parties become party to the clauses of article 28?

In principle, yes. Clause 5, even optional, provides for a mooring clause which allows third parties to become party to the clauses of article 28 throughout the life cycle of the contract with the agreement of all the parties.

Once the annexes have been completed and signed, the member entity will become a party to the clauses of article 28 and will be treated as such from that moment.


Source: Commission Implementing Decision of 4 June 2021 on standard contractual clauses between data controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and of Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (C (2021) 3701 final).


Alston & Bird will continue to analyze the clauses of Article 28. We will publish additional work on this and related topics.

[View source.]



Source link

Leave A Reply

Your email address will not be published.