Standard contractual clauses for Article 28 Data Processing Agreements set out by the European Commission

The European Commission has adopted draft standard contractual clauses to be used between controllers and processors in the EEA

These standard contractual clauses are designed to help organisations that rely on third-parties in the EEA to perform certain data processing activities on their behalf comply with the EU GDPR.

If organisations outsource data processing activities to a data processor, Article 28 of the GDPR requires data controllers to put in place a legal agreement that sets out the data protection obligations that must be covered. These data protection obligations include duties for the data processor with respect to: 

  • compliance with the data controller’s processing instructions; 

  • return or erasure of data at the end of the data processing services; 

  • information security; 

  • providing assistance to the data controller in complying with the latter’s obligations under the GDPR, such as in relation to data subject rights requests, notification of data breaches and data protection impact assessments; 

  • allowing and supporting audits conducted by the data controller or another auditor;

  • and engagement of sub-processors.

 

These new standard contractual clauses provide a standard data processing agreement that meets the requirements of Article 28(7) of the GDPR. They also include a number of annexes that must be completed by the parties, including providing a detailed description of the: 

  • data processing activity; 

  • information security measures; 

  • data controller’s instructions, special restrictions and/or safeguards concerning the processing of sensitive personal data; 

  • sub-processors involved in the data processing activities; 

  • and measures by which the data processor is required to assist the data controller.

 

While these standard contractual clauses are not mandatory they do set out a clear signal as to the level of detail the European Commission expects to see in data processing agreements. If you would like to discuss this or your data processing agreements you can contact one of our data protection specialists here