The new common agreement for service suppliers (which we’ll refer to as the Controller-Processor SCCs) adopted by the European Fee on June 4th was understandably a bit overshadowed by the launch on the same date of the Standard Contractual Clauses for facts transfers (see blog post here). But the new Controller-Processor SCCs, which organizations can use with their service providers to satisfy their GDPR Posting 28 obligations, is one more welcome addition to the EU’s tiny but increasing library of normal files.
If you are organizing to use the new SCCs for facts transfers, you will locate that the Controller-Processor SCCs terms are presently constructed in, so you do not need to set the individual Controller-Processor SCCs in position. Nevertheless, if you are working with a expert services settlement that does not require a transfer of own information out of the EEA (or you are relying on a different lawful basis of the transfer) the Controller-Processor SCCs may well be just the ticket.
Comprehension the GDPR terminology
In most circumstances, we can simply just imagine about the new SCCs as a form contract amongst an group (the controller) and its provider service provider (the processor). In GDPR terminology, “controllers” are entities that are liable for producing conclusions about how a selected established of personalized data will be processed (in the terms of the GDPR, a controller “determines the functions and suggests of the processing”). “Processors” are entities that process particular info on behalf of the controller. “Processing” suggests executing anything at all with individual facts, from preliminary collection to its eventual deletion and almost everything in concerning. In apply, processors can make minor decisions about the specialized facets of performing with a presented established of personal facts without having remaining regarded as controllers of the private information. The crucial concern is whether one entity (the processor) is processing own information on behalf of the other entity (the controller), as opposed to processing the info on its very own behalf. Of training course, occasionally real-existence organization arrangements are a little bit far more complicated, in which case we advise consulting the European Info Safety Board’s guidelines on the principles of controller and processor, or talking with your privateness counsel.
What is the purpose of the Controller-Processor SCCs?
Write-up 28 of the GDPR involves a controller to enter into a written contract with its processor that addresses many goods as specified in Art. 28. In essence, Artwork. 28 functions as a form of contractual checklist. Most corporations that are topic to the GDPR will have dealt with a number of Artwork. 28-dependent contracts. Substantial support suppliers, these types of as cloud company vendors and other know-how alternatives companies, commonly have their very own normal contracts that address the Art. 28 demands for European private facts. Many other businesses have also formulated their own in-dwelling typical forms. It is fantastic to continue employing these forms, assuming that they hit all of the Artwork. 28 demands. But if you want complete certainty that you have pleased all of the Artwork. 28 necessities in a way that will satisfy the European knowledge security authorities, you may want to look at transitioning to the Commission-approved Controller-Processor SCCs. In effect, the Controller-Processors SCCs will gain from a presumption that they meet the demands of GDPR Artwork. 28. Though they could be challenged in court docket, the complainant would confront a significant bar to its challenge.
Will making use of the Controller-Processor SCCs broaden possibly party’s authorized obligations over and above the GDPR’s demands?
For the most aspect, the Controller-Processor SCCs keep fairly close to the wording of Posting 28. In a couple of cases, the SCCs elaborate a bit, but in the long run in ways that are dependable with other components of the GDPR. For example, clause 7.7(e) calls for the processor to consist of a third-social gathering beneficiary clause in its contracts with its sub-processors, these that “the controller shall have the proper to terminate the sub-processor agreement and to instruct the sub-processor to erase or return the individual data” in the celebration that the processor has turn into bancrupt or or else ceased to exist. Such as a 3rd-party beneficiary clause is not an convey requirement of Artwork. 28, but it would make feeling in mild of the obligations imposed on controllers by other elements of the GDPR. Equally, clause 9, which necessitates that the processor aid the controller when the controller has experienced a private facts breach via its have processing could possibly at initially glance feel to go outside of the scope of Artwork. 28, but it helps make perception in the context of hosted expert services where the controller is accomplishing the precise data processing work but working with a technique provided by the processor (and, we can believe, the processor’s cooperation would be necessary for the controller to look into and cure the breach).
What are the sensible gains of applying the Controller-Processor SCCs?
In quite a few situations, the point that the SCCs are not open up to negotiation will be a time-saver. The SCCs have to be used as-is, other than completing the annexes describing the data processing and safety actions (clause 2(a)). Organizations can supplement the SCCs with added conditions, or increase them to a larger agreement, so extended as the other terms don’t “directly or indirectly contradict the Clauses or detract from the elementary legal rights or freedoms of facts subjects” (clause 2(b)). The optional “docking clause” is yet another prospective time-saver – supplemental controllers and processors can only sign an addendum and sign up for onto an present set of the SCCs. That might be useful for far more complicated, multi-celebration collaborations, or for use inside of corporate teams.
When can I begin making use of the Controller-Processor SCCs?
Technically, on June 27, 2021, which is the day when the Commission’s conclusion normally takes lawful effect (20 days just after the June 7th publication in the Formal Journal of the European Union). Nevertheless, there is definitely no rationale to wait until eventually then. The new Controller-Processor SCCs meet the GDPR Artwork. 28 requirements, so businesses can begin placing them in spot promptly just on that basis.
©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.Nationwide Legislation Evaluation, Quantity XI, Selection 159