Advisories June 15, 2021

Privacy, Cyber & Data Strategy Advisory: FAQs – Standard Contractual Clauses for Controllers and Processors in the EU/EEA

Executive Summary
Minute Read

Our Privacy, Cyber & Data Strategy Team answers five questions about the standard contractual clauses that aim to ensure compliance with Articles 28(3) and (4) of the General Data Protection Regulation.

  • Do controllers and processors have to use the Article 28 clauses?
  • What language must be used and can it be modified?
  • How can third parties become involved?

Our Privacy, Cyber & Data Security Team previously reported on the “10 Key Takeaways from the European Commission’s New SCCs” for the transfer of personal data outside the European Economic Area (EEA). Together with the new EU standard contractual clauses for international data transfers, the European Commission also adopted standard contractual clauses between controllers and processors for the matters referred to in Articles 28(3) and (4) of the General Data Protection Regulation (GDPR). 

Articles 28(3) and (4) require that processing by a (sub)processor is governed by a contract that is binding on the processor with regard to the controller. The contract needs to set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. Moreover, the contract must include a number of obligations incumbent on the (sub)processor, such as the obligation to process personal data only on documented instructions from the controller and to take all appropriate technical and organizational security measures to safeguard the data.

The standard contractual clauses between controllers and processors for the matters referred to in Articles 28(3) and (4) adopted by the European Commission aim to ensure compliance with the Articles 28(3) and (4) requirements in a standardized manner.

1. Are controllers and processors obliged to use the Article 28 clauses for their data processing agreements?
No, it is up to the controllers and processors to decide whether or not to use the Article 28 clauses, in whole or in part, to satisfy the Article 28(3) and (4) requirements. Controllers and processors may equally choose to negotiate an individual contract containing the compulsory elements set out in Article 28(3).

According to the European Data Protection Board, the use of standard contractual clauses is not necessarily preferred over negotiating an individual agreement. Nonetheless, standard contractual clauses may simplify the negotiations between controllers and processors over data processing agreements.

2. Do the Article 28 clauses ensure compliance with all Article 28(3) requirements?
Yes, if the annexes are properly completed by the parties. The purpose of the Article 28 clauses is to ensure compliance with Articles 28(3) and (4).

3. Can controllers and processors modify the Article 28 clauses?
No, the Article 28 clauses need to remain “standard.” Except for adding the required information to the annexes or updating information in them, controllers and processors are not allowed to modify the Article 28 clauses. 

It is allowed, however, to include the Article 28 clauses in a broader contract and add other clauses or additional safeguards, provided that they do not contradict the Article 28 clauses or prejudice the fundamental rights and freedoms of data subjects.

4. Do the Article 28 clauses require additional language from controllers and processors?
Yes, controllers and processors that want to make use of the Article 28 clauses will need to complete up to four annexes:

  • Annex I. “List of Parties” to describe the identity and contact details of the controllers and processors that have agreed to the Article 28 clauses.
  • Annex II. “Description of the Processing” to provide the details of the processing activities in terms of categories of data subjects whose personal data are processed, categories of personal data processed, sensitive data processed (if applicable) and applied restrictions and safeguards, the nature of the processing, the purposes for which the personal data is processed on behalf of the controller, the duration of the processing, and the subject matter, nature, and duration of processing by (sub)processors.
  • Annex III. “Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data” to describe concretely, not in a generic manner, the technical and organizational measures implemented by the processors to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.
  • Annex IV. “List of Sub-Processors” in case the parties opt for the specific authorization of subprocessors.

5. Can third parties become a party to the Article 28 clauses?
In principle, yes. Clause 5, though optional, provides for a docking clause that allows third parties to become a party to the Article 28 clauses throughout the life cycle of the contract with the agreement of all parties. 

Once the annexes are completed and signed, the acceding entity will become a party to the Article 28 clauses and be treated as such from that moment on.

Alston & Bird will continue to analyze the Article 28 clauses. We will publish additional work on this and related topics.

Meet the Author
Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.