Seemingly lost in all the excitement caused by the European Commission releasing much anticipated draft implementing decision and standard contractual clauses for international transfers was another, no less important draft decision and annex: standard contractual clauses between data controllers and data processors under Article 28 of the GDPR, in other words, a model data processing agreement.
The clauses ‘may’ be used in contracts between EU-based controllers and processors and therefore are not mandatory. So companies do not have to undertake yet another re-papering exercise. The clauses cannot be modified, however they can be included in a wider contract and parties can add other clauses or additional safeguards as long as they do not contradict the clauses or prejudice rights and freedoms of individuals. Interestingly, the clauses contain a docking clause allowing non-parties to accede at any time as data controller or data processor.
While there is no immediate need to undertake a re-papering exercise, companies should review their standard DPAs in light of these draft clauses and consider making changes to templates, especially where the clauses may use stronger language or impose more burdensome obligations than existing DPA templates. Companies should also consider reviewing processes to work out whether and how to accommodate some of the novelties in the clauses, for example the docking clause and the two options for sub-processors.
As with the SCCs for international transfers, the consultation is open for feedback until 10 December 2020.