New SCC - beyond the data transfers
Updated: 6 days ago
The new Standard Contractual Clauses (SCC) that the European Commission adopted on June 4 in relation to international data transfers understandably took up most of the limelight (read our contribution HERE), so one would almost be forgiven to forget that the Commission adopted at the same time a second set of SCC with a much broader applicability.
Indeed, that same Friday afternoon saw the adoption of a new set of Standard contractual clauses fo controllers and processors in the EU/EEA.
The concepts of controller and processor play a crucial role in the application of Regulation (EU) 2016/679 (GDPR).
The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is the natural or legal person, public authority, agency or other body, which processes personal data on the controller’s behalf. See the EDPB Guidance on this important topic here.
The purpose of the SCC is to ensure compliance with Article 28(3) and (4) GDPR, which mandate controllers and processors to conclude a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
In its implementing decision, the Commission states that "the controller and processor should be free to include the standard contractual clauses in this Decision in a broader contract, and to add other clauses or additional safeguards provided that they do not directly or indirectly contradict the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects."
With this new set of SCC, the Commission gives privacy professionals a valuable template and benchmark for drafting their data processing agreements (at least between data controllers and processors).
While everyone remains free to cater to Article 28 GDPR compliance in their own words and fashion, the availability of this new model will serve as guidance and opens opportunities for new clause and contract drafting. For instance, as there are just a few elements in the SCC that require the choice of an option (and most of those just require a selection of whether you are acting as a private party or an EU government body), incorporation by reference into terms and conditions or a service agreement with a data processor (although frowned upon by some privacy purists) become genuine options.
One would hope that in the near future, the European Commission would also adopt similar SCC sets for other processing situations, such as independent and joint controllership.