Article 28 Standard Contractual Clauses

With the publication this week of the new EU Standard Contractual Clauses for data transfers, a great deal of attention is understandably being paid to analysing the differences from the current set of SCCs. However, it shouldn’t be overlooked that another set of standard clauses has been issued by the EU, namely the Article 28 Standard Clauses. This blog considers the implications of these for contracting parties.

As a reminder, when personal data is being processed in the UK or EU, a set of mandatory terms must be included in the contract between the controller and the processor. These are contained in Article 28 of the GDPR. The EU has published a new set of Article 28 Standard Clauses. These are not mandatory for use within either the EU or the UK, but as they are likely to become widely adopted, and therefore the default standard in negotiations, they are worth reviewing in comparison with the current prevailing market position.

The main effect of the Article 28 Standard Clauses is to add some more flesh to the bones of Article 28 itself, which is quite high level in certain respects.

What are the key takeaways from these new Article 28 Standard Clauses?

• First, there are a few clarifications around the appointment of sub-processors, namely:

  • If general approval is given to a list of sub-processors, any changes to this list should be notified specifically in writing – so we may see an end to the contract simply providing a link to a website which the controller needs to monitor itself.
  • Also, under the Article 28 Standard Clauses, the notification of a new or replacement sub-processor needs to be given in sufficiently good time to give meaning to the right to object, which will help set a baseline for what that period should be. The notifications also need to be accompanied by sufficient information to enable the right to object to actually be exercised.
  • The new terms make clear that flow-down of data protection clauses to the sub-processor should be the same “in substance” – it does not need to be the exact wording from the main contract.
  • A copy of the sub-processing agreement must be provided to the controller on request – this is a big change from the current position, although it can redacted to protect confidential information.
  • Annex II of the Article 28 Standard Clauses requires the processor to provide a description of the processing carried out by sub-processors, including the subject matter, nature and duration of the processing. This may be challenging for vendors who use a large number of subprocessors to assist in providing services.

• Moving to audit rights, the Article 28 Standard Clauses now specifically mention that inspection at processor’s premises may be included as part of the audit rights, which is often a controversial area to agree.

• An express right to terminate the contract is given – for the controller this applies if there are material or persistent breaches by the processor, and by the processor if the controller insists on processing which is not compliant with law. The controller also has an express right to instruct the processor to suspend processing if there is a breach of the standard clauses.

• The security provisions required under Article 32 are to be set out in the contract as a minimum standard, and there is no mechanism for these to change automatically from time to time, as is often the case at present.

Despite these clarifications – there are still areas that are open for debate, as follows:

• The Article 28 Standard Clauses do not address the cost of compliance with the Article 28 requirements – so expect to see discussions continuing on how the costs of audit assistance or assistance with data subject access requests are handled.

• There is nothing in these Article 28 Standard Clauses about how to allocate responsibility for Art 32 compliance with security requirements – again this will be fertile ground for discussion as to whose security standard prevails, and whether one party should underwrite these as being compliant in the contract.

• There is no specific time period for notifying a personal data breach (the draft Article 28 Standard Clauses contained a 48 hour time period but this has now been removed to mirror the wording within the GDPR), other than “without undue delay”, so there is still scope for controller and processors to debate whether there should be a baseline time period for the processor to report, to allow the controller to meet its 72 hour deadline.

• Finally, unlike the Standard Contractual Clauses for the transfer of personal data (which, contain equivalent provisions to the Article 28 Standard Clauses and where appropriate for use, will now replace the need for separate Article 28 provisions), the Article 28 Standard Clauses do not contain any provisions relating to allocation of liability. This leaves open one of the biggest points to be negotiated.

It will be interesting to see how widely the new Article 28 Standard Clauses are adopted, and the impact they have on commercial negotiations of Art 28 provisions. We will report back on developments.

John McKinlay and Rachel De Souza