On December 10, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s invitation for comments on its draft implementing decision on standard contractual clauses (“SCCs”) between controllers and processors for purposes of Article 28 of the EU General Data Protection Regulation (the “GDPR”). Article 28 of the GDPR sets out specific provisions that must be executed between data controllers and processors when personal data is shared.
The European Commission (the “Commission”) issued its draft on November 12, 2020, seeking to provide organizations subject to the GDPR with a standard data processing agreement that meets the requirements set forth in the GDPR. Once finalized, the SCCs will remain optional but demonstrate the level of detail that the Commission expects to see in data processing agreements.
CIPL welcomed the opportunity to comment on the draft and highlighted the following points, among others, to the Commission:
- The language and phrasing used in the SCCs should be aligned and consistent with the GDPR and ensure that the SCC’s obligations do not go further than the obligations of the GDPR, such as with regard to notification obligations in the event of a breach;
- The SCCs should allow more flexibility with regard to their interaction with other contracts;
- A modular format should be provided to account for situations where a processor provides services in several different Member States or several services are provided to the same controller;
- The practical operation of the optional “docking clause,” which allows new parties to join the SCCs, should be clarified;
- Some revisions should be made to ensure that the SCCs work practically for controllers and processors, such as with regard to how data is treated at termination of the relationship or how “same obligation” in the context of sub-processing should be interpreted; and
- The SCCs should leave freedom for parties to negotiate certain commercial terms between themselves, such as those relating to audits, rather than mandating certain requirements.
Download a copy of CIPL’s full response.