On December 10, 2020, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth sent its response to the European Commission’s request for comments on its draft implementing decision on standard contractual clauses (“SCCs”) between controllers and processors for the purposes of Article 28 of the General Data Protection Regulation of the EU (“GDPR”). Article 28 of the GDPR contains specific provisions that need to be carried out between controllers and processors when personal data is shared.
The European Commission (the “Commission”) published its draft on November 12, 2020 to provide organizations subject to the GDPR with a standard data processing agreement that meets the requirements set out in the GDPR. Once finalized, the SCC will remain optional but will show the level of detail that the Commission expects in data processing agreements.
CIPL welcomed the opportunity to comment on the draft and highlighted the following points for the Commission:
- The language and wording used in the SCCs should be consistent with and consistent with the GDPR and ensure that the SCC’s obligations do not go beyond the obligations of the GDPR, for example with respect to notification obligations in the event of a breach.
- The SCC should allow more flexibility in how they interact with other contracts.
- A modular format should be provided to take into account situations where a processor provides services in several different Member States or several services are provided to the same controller.
- The practical application of the optional “docking clause” which enables new parties to join the SCC should be clarified.
- Some changes should be made to ensure that the SCCs work conveniently for controllers and processors, e.g. For example, how data will be treated upon termination of the relationship or how “equal obligation” should be interpreted in the context of sub-processing. and
- The SCC should allow the parties the freedom to negotiate certain trading terms among themselves, such as those related to audits, instead of setting specific requirements.
Download a copy of CIPL’s full answer.