The European Commission (“EC”) recently issued a set of standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”). The Intra-EU SCCs accompany a wider set of clauses issued for extra-EU/EEA personal data transfers (“Extra-EU SCCs”), covering transfers between different types of data processing actors (processors, controllers, sub-processors etc.). Both of them were published in the Official Journal of the European Union on June 7, 2021.
The clauses for intra-EU data processing arrangements are designed to help companies and other organizations that use third-parties in the EU/EEA to perform data processing activities on their behalf to comply with the GDPR requirements.
Legal context
The legal basis enabling the European Commission to adopt the Intra-EU SCCs was provided for in Art. 28(7) of the GDPR. They are a brand new type of standard data protection clauses introduced for use in the EU. The Intra-EU SCCs are a tool that helps data controllers and data processors, both established in the EU/EEA, to comply with their respective obligations resulting from Article 28(3) and (4) of the GDPR.
The Intra-EU SCCs should be considered as a recommended template of the data processing agreement for the purposes of Article 28 of the GDPR. What is important here is that, the Intra-EU SCCs do not simply restate the provisions of Article 28(3) of the GDPR, but – in line with the EDPB’s Guidelines on the concepts of controller and processor – they translate those provisions to specific clauses that help the parties to properly address the GDPR requirements. Below we present a summary of the key provisions of the Intra-EU SCCs and their practical implications for EU customers using cloud and other services providers in the EU.
Issue:
The Intra-EU SCCs provide for a practical and useful mechanism for other parties (both controllers and processors) to accede to the data processing arrangement based on the clauses by simply completing and signing the respective annexes attached thereto (“docking clause”). This mechanism simplifies the signature process for multi-party processing setups, as it does not require to execute separate annexes that must be signed by all parties – this needs to be read however in context of the governing law.
What this means in practice?
Easier conclusion of multi-party contracts.
Issue:
The Intra-EU SCCs expressly require the parties to agree on specific technical and organizational measures that should be specified in Annex III to the Intra-EU SCCs. Annex III of the Intra-EU SCCs contains a list of 17 examples of such technical and organizational measures. This list is preceded by the note that the technical and organizational measures must be concretely described and that a description in a generic manner is not sufficient. This note goes beyond the content required by Article 28(3)(c) GDPR insofar as the latter actually only requires that the processor undertakes to take measures in accordance with Article 32, without specifying more precisely what those measures are. Taking into account that the newly published Intra-EU SCCs will most probably be seen as a market standard by the local data protection authorities (“DPAs“) in the EU Member States, it may be anticipated, however, that the DPAs will pursue this standard in practice and will expect companies to prepare such annexes. Our experience proves that quite often this standard was not followed in practice and the parties to a data protection agreement used to confine themselves to agreeing that the processor would adopt “adequate technical and organizational measures for securing the data” avoiding any specifics in the agreement.
What this means in practice?
The requirement to determine, in sufficient detail, the security measures in contract may be a conflict point. Such requirement might be seen as a trigger for confidentiality risks and providers will be likely heavily reluctant in disclosing any significant details – but it seems that providers may need to concede here and disclose much more than now.
Issue:
In the recommended approach presented in the SCCs with regard to audits of a data controller, the SCCs provide for a rule that the audits should include inspections at the premises or physical facilities of the processor. Therefore, audit clauses included in data processing agreements that excessively restrict the scope of allowed audits or inspections conducted by a data controller (e.g. to “paper audits” only) may be declared by the DPAs as non-compliant. A possible counter-argument in this respect would be that the European Data Protection Board stresses in its guidelines on cloud computing, that individual audits of data hosted in a multi-party, virtualized server environment may increase risks to those physical and logical network security controls in place. In such cases, a relevant third party audit chosen by the controller may be deemed to satisfy in lieu of an individual controller’s right to audit, according to the European Data Protection Board’s point of view.
What this means in practice?
This might be however a new challenge for the cloud providers – how to accommodate such potential requests for the on-site audits. While not compulsory – they need still be to an option. We may expect online audits of the provider’s infrastructure as the middle-ground e.g., cybersecurity testing.
Issue:
The newly adopted Intra-EU SCCs will most likely become a benchmark for data processing arrangements between EU companies and EU service providers engaged in personal data processing (e.g. cloud service providers) despite the fact that the adopted set of clauses is not an obligatory mechanism that parties must necessarily apply each time they need to satisfy the requirements for the outsourcing of personal data processing. In this context, it should be noted that the parties may choose instead to negotiate an individual contract containing the compulsory elements set out in Article 28(3) and (4) of the GDPR. This feature distinguishes them from the Extra-EU SCCs which are an obligatory and “fixed” (non-negotiable) mechanism for international data transfers (required by Article 46 of the GDPR);
Against this background, the Intra-EU SCC on the relation between the Intra-EU SCC and other agreements between the parties raise some questions. Except for adding or updating information to the Annexes, the parties must not modify the Intra-EU SCC (Intra-EU SCC, clause 2(a)). However, Intra-EU SCC, clause 2(b), also stipulates that this does not prevent the parties “from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.” In the event of “a contradiction” between the Intra-EU SCC and other agreements between the parties, the Intra-EU SCC “shall prevail” (Intra-EU SCC, clause 4).
If there is such contradiction or not is particularly unclear where a subject is not expressly addressed in the new Intra-EU SCC. Consider, for example, a clause under which the processor may terminate the contract if the controller does not agree to the subcontracting of the processing activity from the processor to a sub-processor (see Intra-EU SCC, clause 7.7). Would such clause “directly or indirectly contradict” the new Intra-EU SCC since the latter do not provide for such right of termination and such right of termination would significantly limit the controller’s freedom to refuse subcontracting to a particular sub-contractor? Or would such termination clause be an admissible “other clause” as defined by Intra-EU SCC, clause 2(b)? Given the above mentioned optional nature of the SCC, we would rather tend to qualify such clause as admissible.
What this means in practice?
The SCCs for intra-EU data processing outsourcing may contribute to the simplification of negotiations of data processing terms with providers within the EU. They also provide clear guidance on contractual provisions likely expected and standards likely applied by DPAs; where parties use the new Intra-EU SCC and agree on provisions on subjects not addressed by the new Intra-EU SCC, they should ensure that these agreements do not “directly or indirectly” contradict the rest of the Intra-EU SCC.