Decision of the European Commission on the data processing agreement
So much has been said about the new cross-border standard contractual clauses (CCP), which the European Commission finally adopted on June 4, 2021, that it almost went unnoticed that the Commission released two different types of SCCs that day. The other set of SCCs (the DPA-SCC) relates to data controller data processing agreements (which do not necessarily involve cross-border transfers).
What are DPA-SCC and to what situations do they apply?
As with the cross-border CPS, the European Commission published a draft DPA-CPS for public consultation in November 2020 (for details, see GT blog post from November 18, 2020). The background to the DPA-SCC, which has no predecessor under the EU Data Protection Directive, is that Article 28 (3) of the GDPR provides that several mandatory elements must be included in data processing agreements (DPA) between a controller and a processor. , and Article 28 (7) of the GDPR authorizes the Commission to “establish standard contractual clauses” for these DPAs. So this is what the new DPA-SCCs are: they provide a model that standardizes the data protection rights and obligations of the respective parties in DPAs and ensures GDPR compliance if used correctly.
Note: DPA-SCC are not mandatory, i.e. parties can use other provisions in their DPA if they comply with Art.28 (3) GDPR. amended. In addition, while the cross-border SCC processes data transfers to non-EU and EEA (third country) countries, including between controllers and processors, the DPA-SCC cannot be used only for data transfers within the EU / EEA. In this regard, they take a different approach and are shorter and simpler.
What are the main points to remember?
Unlike the cross-border CCS, the European Commission had not previously provided model clauses for contractual relations between controllers and processors, so the DPA-SCC is a novelty (at EU level) and not “just” an update. While in the past some national data protection laws provided for the inclusion of quite specific provisions in DPAs and some national data protection authorities provided models of DPAs, the DPA-SCC applies at the level European Union and therefore no longer requires an analysis of decisions.
Controllers and processors can use the new DPA-SCC to comply with Article 28 of the GDPR. Therefore, DPA-SCCs are particularly convenient for businesses with lower administrative capacities that have not yet established their own “standard” GDPR-compliant DPA.
If, however, data is exported to third countries, the DPA-SCC alone is not sufficient to ensure the lawfulness of the processing. On the other hand, the cross-border CCP contains the required provisions of a DPA in accordance with Article 28 of the GDPR, so in these cases the use of the cross-border CCP is sufficient.
How are DPA-SCC used?
The DPA-SCC consists of two parts, namely the contractual clauses themselves, which (subject to a few options) should not be changed, and four annexes, which should be completed individually by the parties. Of course, apart from the cross-border CCP, parties do not have to use the DPA CCP for their data processing arrangements. However, the great advantage of using them is that the parties can be confident that their data processing agreement will comply with the requirements of Article 28 of the GDPR – a benefit which is lost if the “mandatory” parts are changed.
Annex I name the parties. Annex II includes descriptions of the respective processing (e.g. categories of data subjects and data processed). Note that the European Commission has removed some particularly important mandatory elements that were still included in the last provisional version (eg “record (s) of processing” and “place of storage and processing of data”). Annex III lists the technical and organizational measures concerning data security implemented by the subcontractor. These should be described in detail, not generically. A list of possible measures is provided, including, for example, pseudonymization and encryption of personal data, measures for governance and management of internal IT and IT security, and measures to protect personal data during transmission. In addition, if subcontractors are used, the specific technical and organizational measures to be taken by this subcontractor must be described. The selection, implementation and description of these measures will require less preparatory work than for the cross-border CCP, as no third country legislation and other risks resulting from a transfer of data to a third country need to be assessed. . Annex IV name the subcontractors, including the scope of their subcontracting.
Which can lead to confusion: The DPA-SCC applies both to data processing agreements subject to the GDPR, as well as to data processing agreements subject to Regulation (EU) 2018/1725, which is “the GDPR for EU institutions ”. Therefore, there are a number of alternatives in the DPA-SCC which only apply if used by an EU institution (and should otherwise be deleted).
When does the new DPA-SCC come into effect?
Like the Cross-Border SCC, the DPA-SCC has been applicable since June 27, 2021. As the DPA-SCC is not mandatory, existing (and future) DPAs remain in effect if they meet the requirements of the GDPR.
© 2021 Greenberg Traurig, LLP. All rights reserved. Revue nationale de droit, volume XI, number 274