On June 4, 2021, the European Commission published its long awaited new set of Standard Contractual Clauses for outsourced data processing (DPA SCCs). These DPA SCCs are a contract template that organizations can use to comply with the General Data Protection Regulation’s (GDPR) rules on outsourced data processing.

Although companies can freely choose whether or not to use the DPA SCCs, they will likely become the “gold standard” in the EU. (For an analysis of the new SCCs governing the transfer of personal data (New SCCs), see our WSGR Data Advisor post, A New Data Transfer Mechanism Is Available for EU Personal Data.)

Background

The GDPR requires controllers and processors to enter into a data processing agreement (DPA) to govern outsourced data processing.[1] Although both supervisory authorities (SAs)[2] and the EU Commission (EC)[3] have the authority to issue standard contractual clauses to serve as the DPA,[4] thus far, only the Danish SA has issued a set of DPA clauses. (See our WSGR Data Advisor post, On the Final Publication of the Danish Standard Contractual Clauses for Vendor Agreements: A New Standard?). Both the Danish SCCs and the DPA SCCs can be used as a DPA template across the EU.

The DPA SCCs become effective on June 27, 2021. Controllers and processors will then have four options: i) rely on the DPA SCCs as a whole (e.g., as a standalone contract or as an addendum to a broader contract, such as a Master Services Agreement), ii) rely on the DPA SCCs as a whole and further add other clauses or additional safeguards,[5] iii) rely on the DPA SCCs in part (e.g., by incorporating selected clauses into existing templates), or iv) continue to rely on their own templates (to the extent that these include all the provisions required by the GDPR).[6]

Using the DPA SCCs as a whole has the benefit of providing certainty that the parties are meeting the GDPR standard. Although parties may not amend the DPA SCCs themselves (if they do so, SAs would no longer presume that the contract meets the GDPR standard), they could further specify obligations under the DPA e.g., scope of audit rights, locations of data storage, timeframe within which data must be returned to the controller upon termination. Adding such specifications can be useful for 1) controllers to align the clauses to their existing templates or internal processes (such as for breach reporting) and 2) processors to balance the rather controller-friendly provisions of the DPA SCCs.

Key Provisions  

The DPA SCCs address the GDPR requirements for outsourced data processing. The key provisions to review when considering whether or not to use the DPA SCCs include:

  • Need to carve-out any processing for the processor’s own purposes. The DPA SCCs specify that a processor may only process personal data for the specific purpose(s) of the processing set out in the DPA SCCs ‘unless it receives further instructions from the controller.’ Therefore, if processors need to process the data for their own purposes (e.g., analytics or product development), this should be specified in the principal agreement.
  • Controllers are given an immediate termination right. The DPA SCCs give controllers termination rights that will prevail over termination rights in the principal agreement. Termination may be immediate if the processor fails to comply with a court or regulatory order, or in case of ‘substantial or persistent’ breaches of the DPA SCCs or the GDPR. For breaches that are not ‘substantial or persistent,’ the controller can terminate if the breach is not remediated within one month.
  • Third parties can join the DPA through completion of a model annex. Any entity that is not a party to the DPA SCCs may, with the agreement of all parties, accede to the DPA SCCs at any time as a controller or as a processor by completing a template annex, referred to as a ‘docking clause.’
  • Need to specify the appropriate security measures. The parties must specify the essential information security measures that the processor must implement. The clauses provide high level examples of such measures and allow companies to tailor them to the actual data processing. Examples include those already described in the GDPR (e.g., pseudonymization and encryption)[7], as well as other measures such as requirements for user identification and authorization, protection of data during transmission and storage, events logging, and certification and assurance of processes and products.
  • Additional safeguards for processing of special categories of data. Where the processing involves special categories of personal data, such as health-related data, information about race, religion, or political affiliation[8], the DPA SCCs requires processors to take additional measures, which need to be documented in the annex covering the description of processing. Examples of such measures include access restrictions, specialized training for employees handling such data and restrictions for onward transfers. These are distinct from the technical and organizational security measures that must be implemented for all personal data processed.
  • No need for a DPA when parties enter into New SCCs for international data transfers. Parties who enter into the New SCCs on international data transfers no longer need to also enter into a data protection agreement or addendum, such as the DPA SCCs, as the New SCCs also meet the requirements of Article 28 GDPR.

Conclusion

Regulators and organizations doing business in the EU will likely consider the DPA SCCs as the gold standard for compliance with Article 28 of the GDPR. Even if organizations decide not to make the DPA SCCs part of their template contracts, they should expect to see these standard provisions more and more in their contract negotiations. Organizations should therefore carefully assess the impact of the DPA SCCs on their compliance program and negotiation strategy.

Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.

Laura Brodahl, Laura De Boel, Chris Foo, Joanna Juzak, and Nikolaos Theodorakis contributed to the preparation of this blog post.

[1] Article 28(3) and (4) GDPR.

[2] Article 28(8) GDPR.

[3] Article 28(7) GDPR.

[4] Article 28(6) GDPR.

[5] Provided that the additional clauses or safeguards do not directly or indirectly contradict the DPA SCCs or prejudice the fundamental rights or freedoms of data subjects.

[6] Article 28(3) GDPR.

[7] Article 32(1)(a-d) GDPR.

[8] Special categories of data are particularly sensitive types of data that are subject to stronger protection under the GDPR. These include, among others, data revealing ethnicity, political opinions, sexual orientation, genetic data, biometric data, or health-related data.