Over the last few months, nay weeks, nay days (!), data privacy practitioners have been kept very busy with the release of a number of guidance papers from the European Data Protection Board (“EDPB”) and draft clauses issued by the European Commission, all which have an impact on how various data protection clauses should be drafted.
First, the EDPB issued draft guidelines at the beginning of September on the concepts of controller and processor in the GDPR. For further information on these guidelines, see our passle here. The consultation period for these guidelines has now closed so we are expecting final guidelines to be issued soon. Second, earlier this month, the EDPB issued guidelines on supplementary measures that data exporters/importers should be taking in respect of international transfers (i.e. Schrems ii supplemental measures), some of which are contractual. Again, for further information, see our passle here.
Not to be left out of the loop, the European Commission has also been busy drafting suggested clauses. In addition to issuing new (draft) standard contractual clauses for transferring personal data outside of the EEA (“Ex EEA transfer standard contractual clauses”) (see our passle for further information on the implication of these here), the European Commission also published a key draft decision on 12 November 2020 (somewhat overshadowed by the Ex EEA transfer standard contractual clauses) on standard contractual clauses between controllers and processors for the matters referred to in Article 28(3) and (4) of the GDPR (“A28 controller/processor standard contractual clauses”).
These latest A28 controller/processor standard contractual clauses released by the European Commission are still open for consultation until 10 December 2020. However, the contents of these A28 controller/processor standard contractual clauses will come as no surprise to those of us who are familiar with the EDPB draft guidelines on the concepts of controller and processor (although interestingly, not all of the recommendations issued by the EDPB have been reflected in the A28 controller/processor standard contractual clauses (e.g. the obligation on a processor to obtain consent before making changes to security measures)).
Although, in contrast to the Ex EEA transfer standard contractual clauses, organisations will not be obliged to use the A28 controller/processor standard contractual clauses, the release of these clauses is a clear indication from the European Commission of their expectations of what should be included in a controller/processor data processing agreement; it would take a brave organisation to materially depart from the suggested recommendations.
What is clear from these draft A28 controller/processor standard contractual clauses, is that organisations are obliged to include a sufficient level of detail around the requirements of Article 28 – simply incorporating the clause by reference is not going to be sufficient. (Long gone are the days of short data clauses!) In particular, organisations should, in their data processing agreements, whether acting as a controller or processor, include details around:
- security measures that should be taken by processors;
- what processor assistance and co-operation look like;
- process for breach notification by processors (including a requirement on processors to commit to a time period);
- use of sub-processors (and an obligation on processors to notify controllers of any failure by a sub-processor to fulfill its obligations); and
- responding to data subject rights.
It is likely this level of detail might be welcomed by controllers, but processors who have in the past deliberately relied on the vagueness of Article 28 are likely to find some of this level of detail onerous, burdensome and difficult to implement in practice.
Although we are still awaiting the final guidelines and clauses (and of course confirmation on whether these final guidelines/clauses will be adopted by the UK from 1 January 2021), we strongly recommend that all organisations take the time now to review their existing contractual clauses with processors and controllers, to ensure that they meet the required standards. They will also need to consider a strategy for rolling out the updated clauses with their respective customers/vendors.
At Lewis Silkin, we know the importance of being commercially-minded and are happy to help clients navigate these new developments in a way that is compliant but importantly, also works in practice.
The standard contractual clauses should provide for both substantive and procedural rules.