EDPB Ruling Provides Takeaways for DPA Standard Contractual Clauses

May 28, 2021Alerts

The European Data Protection Board (EDPB) issued an opinion on the draft Standard Contractual Clauses (SCC) for a controller-processor data processing agreement under Article 28 (Data Processing Agreements) submitted by the Lithuanian supervisory authority.

Some universal takeaways for those of us drafting and negotiating DPAs:

Controller Instructions

  • The possibility for the controller to give subsequent or further instructions is necessary to fully implement the rights and obligations of the parties, but is not unlimited. Any subsequent instruction should be in line with the respective rights and obligations of the parties set out in the SCCs.
  • Where the processor processes the data not under the instructions of the controller but because it is required to do so by union or member state law to which it is subject, then the processor shall inform the controller of the legal requirement before the processing of this data, unless that law prohibits such information on important grounds of public interest. The board therefore recommends to include this specification in the DPA.

Technical and Organizational Methods

  • The DPA should specify that the level of the risk should take into account “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons," which corresponds to the wording of Article 32(1) GDPR.
  • It is a good idea to add "insofar as it is possible re: the processor's applying appropriate technical and organizational measures and also say that the data processor shall, insofar as this is possible, assist the data controller in its obligation to give effect to the following data subject rights."

Sub-Processors

  • The DPA should specify that prior to the processing, the data processor shall inform the sub-processor of the identity and contact details of the controller for which the sub-processor processes personal data.
  • The suggested obligation for the processor to provide a copy of the contract with the sub-processor where there is an impact on the instructions or the level of security is not explicitly provided by the GDPR. e.g. the data processor is not obliged to provide the provisions of the agreement on the business-related issues which do not have an impact on the terms and conditions of the legal protection of personal data of the contract concluded with the sub-processor.
  • There is an added value in having a third-party beneficiary clause as part of a standard contractual clause as it preserves the rights of the controller and it should, therefore, be mandatory.
  • Encourages including a reminder that “The data processor shall be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and the GDPR.

Cross-Border Transfers

  • Mentioning the chosen tool for transfers, in addition to the instructions, contributes to demonstrating compliance of the parties with Chapter V of the GDPR. The language could be something like: “The data controller’s instructions or approval regarding transfers of personal data to a third country including, if applicable, the transfer tool under Chapter V of Regulation (EU) 2016/679 on which they are based, shall be set out in Annex 3 of these standard contractual clauses."

Data Breach Notification

  • The parties should specify the number of hours by which the processor shall notify a data breach and it should not exceed 24 hours from the moment of becoming aware of the personal data breach.
  • You should not use the modifier “if possible” in connection with the data breach notification timing taking into account that a processor has in any event an obligation to proceed to such notification (Article 33.2 GDPR) and to avoid giving rise to situations where the processor may argue it was “impossible” to notify the controller concerning the data breach within the agreed timeframe

Deletion and Termination

  • The controller should be able to modify the choice re: return or deletion that it made at the time of signature of the contract throughout the life cycle of the contract and upon its termination. Remaining copies should be deleted in any event.
  • The DPA should include the possibility for the controller to terminate where the DPA has been suspended and where compliance has not been restored within a certain amount of time to be determined by the parties.

Annexes

  • The processing activities should be described by the parties in the most detailed manner possible.
  • Including a table guiding the parties in the description of authorized sub-processors is a good idea.
  • The degree of detail of the information provided must be such as to enable the controller to assess the appropriateness of the measures, in order to comply with its obligation of accountability.
  • It is a good idea for the parties to include a description of the measures for the protection of software applications used to process personal data.
  • The annex should include the steps to be taken by the processor and the procedure to be followed in providing assistance to the controller with regard to assisting the controller with its obligations. For example re: data subject rights, it has to be clear whether: (i) the data processor is expected to have any contact with the data subjects, and how the processor needs to inform the controller when it comes to data subjects’ rights (e.g. forwarding the request to the controller within a specified timeframe or other appropriate measures); (ii) controller instructs the processor to answer to data subject’s requests according to instructions given or (iii) processor makes the technical implementations instructed by the controller with respect to data subject rights. It is a good idea to specify the organizational measures under which the cooperation of the processor might be provided.
  • The issue of allocation of costs between a controller and a processor is not regulated by the GDPR, the board consequently encourages removing any reference to the costs from these clauses. [It is unclear whether this should just not be in the sample, and left to the parties to decide].

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert contact Odia at [email protected] or 215.444.7313.