European Commission Implements Updated Standard Contractual Clauses for Cross-Border Transfers and New Standard Contractual Clauses for Controller and Processor Relationships - Part II of II: Controller-Processor SCCs

PDF

On June 4, 2021 the European Commission (“Commission”) implemented two sets of standard contractual clauses (“SCCs”). One set, which we covered on June 7th in Part I, governs cross-border transfers of personal data and seeks to align the SCCs with the requirements of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”), the Court of Justice of the EU’s (“CJEU”) Schrems II decision, and today’s functional business realities (“Cross-Border SCCs”). The second set of SCCs sets forth standard contracting provisions between controllers and processors to align with the requirements of Article 28 of the GDPR (“Controller-Processor SCCs”). In Part II of this client alert, we’ll cover the Controller-Processor SCCs.

Q: What are the Controller-Processor SCCs?

A: The Controller-Processor SCCs are designed to satisfy the requirements of Article 28 of the GDPR, which requires processors (who process personal data on behalf of controllers) and controllers (who direct processors to process personal data on the controller’s behalf) to implement a contract setting forth specific data protection imperatives. Importantly, unlike the Cross-Border SCCs, the Controller-Processor SCCs are optional, meaning that companies do not need to replace existing controller-processor data protection agreements with the Controller-Processor SCCs, so long as their existing contracts otherwise contain the content required by Article 28.

Q: What’s important about the Controller-Processor SCCs?

A: The Controller-Processor SCCs enable controllers and processors to satisfy their contractual obligations under Article 28. Where many companies likely will have previously implemented separate data processing agreements into their contracts to satisfy Article 28 requirements, the Controller-Processor SCCs represent a simplification (and, potentially, a standardization) of the contracting process, whereby companies may enter into a templated agreement that takes much of the guesswork out of regulating processing relationships.

Q: When can companies start using the Controller-Processor SCCs?

A: The official implementation date of the Controller-Processor SCCs is June 27, 2021. However, companies should go ahead and review their existing data protection agreements to ensure they align with the Controller-Processor SCCs and make a determination as to whether to replace some or all components of those data protection agreements with the Controller-Processor SCCs.