As of 27 June 2021, the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (the “Decision”) will become applicable.
When we talk about standard contractual clauses, we usually have in mind a legal instrument that allows the transfer of personal data outside the EEA. However, both Regulation 2016/679 (“GDPR”) and Regulation 2018/1725 also provide for another case where the European Commission may define standard contractual clauses. This is the adoption of model provisions for the entrustment by a controller of the processing of personal data to a processor within the EEA. Such model clauses may be defined both at national level, by a supervisory authority (as was the case in Denmark), and at EU level – by the European Commission.
At the outset, it is important to note some general issues regarding the standard contractual clauses set out in the Decision:
- as indicated above, they apply to the relationship between a controller and a processor only within the EEA. This means that they cannot be used for outsourcing the processing of personal data in situations where there is a transfer of data to a third country. In cases of entrustment of the processing of personal data involving a transfer outside the EEA, the standard contractual clauses defined on the basis of Article 46(2)(c) of the GDPR shall apply.
- The standard contractual clauses set out in the Decision may apply both to the processing of personal data under the GDPR and to the processing of personal data by Union institutions, bodies, offices and agencies (under Regulation 2018/1725).
- There is no obligation to enter into entrustment agreements for the processing of personal data using the standard contractual clauses provided for in the Decision. The controller and the processor may enter into an individually negotiated agreement as long as it meets the requirements set out in the provisions of the GDPR and Regulation 2018/1725.
- The standard contractual clauses may be applied in whole or in part, and it is possible to include additional provisions and safeguards in the contract between the controller and the processor. However, these may not conflict with the standard contractual clauses or violate the fundamental rights or freedoms of the data subjects.
We already know the general principles, so it is time to go into details.
Do the standard contractual clauses actually make it easier to regulate the personal data processing entrustment relationship?
The Decision contains model provisions for an entrustment agreement. However, it contains some optional provisions and the controller has to choose one of them himself. Furthermore, in addition to the main content, the standard contractual clauses provide for annexes in which it is necessary to specify:
- the parties to the standard contractual clauses,
- the categories of data subjects, the sensitive data to be processed (where applicable) and the applicable restrictions or safeguards which take full account of the nature of the data and the risks involved, the nature of the processing, the purposes of the processing on behalf of the controller, the duration of the processing,
- the technical and organisational measures, including the technical and organisational measures to ensure data security to be applied by the processor, including a description of the specific technical and organisational measures to be applied by the processor to assist the controller,
- the list of further processors.
As you can see, therefore, the controller must himself determine many elements in the appendices to the standard contractual clauses or select one of the options contained in the body of the clauses. It is therefore not the case that you simply copy the provisions contained in the Decision and you have a ready-made entrustment agreement. However, it is obvious, the standard contractual clauses, as the name implies, define a certain standard. The particular relationship between controllers and processors and the circumstances in which the processing of personal data is entrusted differ and require individual adaptation. In particular, if the controller entrusts the processing of personal data which require special protection due to its content (type), scope (amount of data) or the manner of processing (which may involve significant risks), the standard contractual clauses will probably need to be supplemented, e.g. with regard to the processor’s liability or the rules for carrying out audits. For more complex and high-risk, or even medium-risk, cases the standard clauses will not be sufficient on their own.
Certainly, however, the standard clauses set out in the Decision are a helpful guideline for the construction of personal data processing entrustment contracts.
Do the standard contractual clauses dispel all doubts that have so far arisen with regard to the construction of personal data processing entrustment agreements?
Quite a number of the provisions contained in the contractual clauses simply carry over the content of the provisions of the GDPR and Regulation 2018/1725. We are not dealing here with any significant detailing and clarification of the provisions. However, there are of course also standard provisions set out in the Decision which add more and provide real guidance when drafting personal data processing entrustment agreements. I would highlight in particular:
- singling out the entrustment of processing of special categories of data and indicating that the processor in such a case is to apply specific restrictions or additional safeguards (some examples of such measures are listed in Annex II Description of the processing);
- indicating that the technical and organisational measures to be applied by the processor should be described in detail, and not in a general way, in Annex III; in addition, Annex III is also to indicate the technical and organisational measures to be applied by the processor in order to assist the controller in fulfilling its obligations;
- clarifying that the processor in a contract with a further processor is to agree on a third-party beneficiary clause (i.e. the controller) to safeguard the situation where the processor ceases to exist. This clause is to allow the controller to directly terminate the contract with the further processor and have the further processor erase or return the personal data;
- indicating in which cases the controller and the processor may terminate the personal data processing outsourcing agreement.
The inclusion of clauses in this regard should be assessed positively. However, the Decision does not address all the issues which – according to my experience – are still problematic when constructing entrustment agreements. This concerns in particular the possibility of limiting audits carried out by the controller at the processor’s premises (e.g. limiting to 1 audit per year at the processor’s premises), bearing the costs of an audit or carrying out an audit by the controller at a further processor. While I understand that the standard contractual clauses are not the place to determine possible limitations of audits or bearing the costs of audits (in my opinion, these issues should be addressed in guidelines or recommendations of supervisory bodies), there are no clear provisions on the third issue indicated. The standard contractual clauses reserve the above-mentioned right of the controller to terminate the contract with the further processor and the issue of audits of the sub-processor is not explicitly addressed, which in my opinion is a significant shortcoming.
When concluding an individually negotiated contract for the entrustment of the processing of personal data, is it necessary to apply at least the same level of detail in the provisions as in the standard contractual clauses?
As it was indicated at the beginning, there is no obligation to use standard contractual clauses, it is possible to conclude an individually negotiated agreement between a controller and a processor. Undoubtedly, however, in my opinion the supervisory authorities will take into account the content of the Decision and from its point of view they will assess whether the personal data processing outsourcing relationship has been properly regulated. In practice I encounter, for example, lack of detailed specification of what technical and organizational measures are to be used by the processor. Instead of an annex, it is indicated in the content of the agreement that the processor is to use – in short – adequate measures to protect the entrusted personal data. In my opinion, however, the measures used should be listed in the entrustment agreement (in the annex). Of course, their description does not have to be very detailed, but should allow the controller to assess whether these measures are adequate.
You virtually will not find in entrustment agreements (at least in Poland) the organisational and technical measures to be taken by the processor to assist the controller in complying with its obligations. I consider this element to be very useful for the processor. In my view, the absence of an explicit specification of such measures would not meet with any consequences from the supervisory authority, but it is definitely worth including such a section in the entrustment agreement.
I believe that the standard contractual clauses set out in the Decision should definitely be taken into account when constructing the entrustment agreement as they set a de facto model to which controllers and processors should adhere. Even if the agreement is constructed individually and the parties wish to formulate particular obligations differently, the issues indicated in the Decision should be taken into account.
advocate Agnieszka Rapcewicz