Intra-EU / EEA Standard Contractual Clauses: What You Need To Know

0


The European Commission (“EC”) recently published a number of standard contractual clauses for controllers and processors in the EU / EEA (“Intra-EU SCCs”). The intra-EU SCCs accompany a wider range of clauses for the transfer of personal data outside the EU / EEA (“extra-EU SCCs”), the transfers between different types of data processing actors (processors, controllers, sub-processors, etc.). Both were published in the Official Journal of the European Union on June 7, 2021.

The clauses for intra-EU data processing agreements are intended to assist companies and other organizations that use third parties in the EU / EEA to carry out data processing activities on their behalf in order to comply with GDPR requirements.

Legal context

The legal basis that enables the European Commission to issue the intra-EU SCCs was Article 28 (7) of the GDPR. They are a completely new type of standard data protection clause introduced for use in the EU. The intra-EU SCCs are a tool that helps data controllers and data processors, both based in the EU / EEA, to meet their respective obligations under Article 28 Paragraphs 3 and 4 of the GDPR.

The Intra-EU SCCs should be viewed as a recommended template for the data processing agreement within the meaning of Article 28 of the GDPR. It is important that the intra-EU SCCs do not simply reformulate the provisions of Article 28 (3) of the GDPR, but – in line with the EDPB’s guidelines on the terms controller and processor – implement these provisions specifically clauses that help the parties to properly comply with GDPR requirements. Below we present a summary of the key provisions of the intra-EU SCCs and their practical implications for EU customers using cloud and other service providers in the EU.

problem:

The SCCs within the EU provide a practical and useful mechanism for other parties (both controllers and processors) to join the data processing agreement based on the clauses by simply filling out and signing the respective attached annexes (“docking clause”). This mechanism simplifies the signature process for multi-party processors by eliminating the need to create separate attachments for all parties to sign – but this must be read in the context of applicable law.

What does that mean in practice?

Simplified conclusion of multi-party contracts.

problem:

The intra-EU SCCs expressly require the parties to agree on specific technical and organizational measures, which should be specified in Annex III of the intra-EU SCCs. Appendix III of the Intra-EU SCCs contains a list of 17 examples of such technical and organizational measures. This list is preceded by the note that the technical and organizational measures must be specifically described and a generic description is not sufficient. This notice goes beyond the content according to Art. 28 Paragraph 3 lit. c GDPR insofar as it actually only requires the processor to undertake measures according to Art. 32 without specifying these in more detail. Taking into account the fact that the newly published Intra-EU SCCs will most likely be viewed as the market standard by the local data protection authorities (“Data protection authorities“) In the EU member states, however, it is to be expected that the data protection authorities will follow this standard in practice and expect companies to create such annexes. Our experience shows that this standard was often not complied with in practice and that the parties to a data protection agreement limited themselves to the agreement of “sufficient technical and organizational protection of the data” by the processor, thereby avoiding any further specification of the agreement.

What does that mean in practice?

The requirement to specify the contractual security measures in sufficient detail can be a point of conflict. Such a requirement could be seen as a confidentiality risk trigger, and vendors will likely be very reluctant to disclose material details – but it seems vendors will have to give in here and disclose much more than they do now.

problem:

In the approach recommended in the SCCs to controller audits, the SCCs provide a rule that audits should include inspections at the processor’s premises or physical facilities. Therefore, audit clauses in data processing contracts that unduly restrict the scope of the permitted audits or inspections that can be carried out by a data controller (e.g. only on “paper audits”) can be declared non-compliant by the data protection authorities. A possible counter-argument in this context would be that the European Data Protection Board emphasizes in its guidelines on cloud computing that individual audits of data hosted in a virtualized server environment with multiple parties can increase the risks for these physical and logical network security controls on site and place. In such cases, in the opinion of the European Data Protection Committee, instead of the individual controller’s right to review, a relevant third-party review selected by the controller may be considered sufficient.

What does that mean in practice?

However, this could present a new challenge for the cloud providers – how they can meet such potential requests for the on-site audits. While not mandatory, they still have to be an option. As a middle ground, we can expect online audits of the provider’s infrastructure, e.g. B. Cybersecurity Testing.

problem:

The newly adopted intra-EU SCCs will most likely become a benchmark for data processing agreements between EU companies and EU service providers involved in the processing of personal data (e.g. cloud service providers), although the adopted clauses are not a mandatory mechanism , the parties must necessarily submit a request each time they have to meet the requirements for outsourcing the processing of personal data. In this context, it should be noted that the parties have the option of negotiating an individual contract that contains the elements prescribed in Art. 28 Paragraphs 3 and 4 GDPR. This feature sets them apart from the Extra-EU SCCs, which are a mandatory and “fixed” (non-negotiable) mechanism for international data transfers (required under Article 46 of the GDPR);

Against this background, the Intra-EU SCC raises some questions about the relationship between the Intra-EU SCC and other agreements between the parties. Other than adding or updating information in the Annexes, the parties may not modify the Intra-EU SCC (Intra-EU SCC, Section 2 (a)). However, Intra-EU SCC, Clause 2 (b), also provides that this does not prevent the parties from “to incorporate the standard contractual clauses set out in these clauses in a broader contract or to add other clauses or additional guarantees, provided that they do not contradict the clauses directly or indirectly or impair the fundamental rights or freedoms of the data subjects.” In case of “a contradiction“Between the Intra-EU SCC and other agreements between the parties, the Intra-EU SCC”will prevail“(Intra-EU SCC, Section 4).

Whether or not there is such a contradiction is particularly unclear if a topic is not explicitly addressed in the new Intra-EU SCC. For example, think of a clause according to which the processor can terminate the contract if the controller does not consent to the subcontracting of the processing activity from the processor to a sub-processor (see Intra-EU SCC, Section 7.7). Would such a clause “object directly or indirectly”The new Intra-EU SCC, as it does not provide for such a right to terminate and such a termination right would severely limit the controller’s freedom to refuse to subcontract a particular subcontractor? Or would such a termination clause be permissible?other clause”As defined in Intra-EU SCC, Clause 2 (b)? Given the above-mentioned optional nature of the SCC, we would be more inclined to qualify such a clause as admissible.

What does that mean in practice?

The SCCs for the outsourcing of data processing within the EU can help to simplify the negotiations on data processing conditions with providers within the EU. They also provide clear guidance on what contractual provisions are likely to be expected and the standards likely to be applied by data protection authorities; When parties use the new intra-EU SCC and agree on provisions on issues not covered in the new intra-EU SCC, they should ensure that these agreements do not “directly or indirectly” affect the rest of the intra-EU SCC disagree.

The content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. In some jurisdictions, this may qualify as “solicitation” which requires notification. Previous results do not guarantee similar results. More information is available at: www.bakermckenzie.com/en/disclaimers.



Source link

Share.

About Author

Leave A Reply