GDPR: The Most Frequently Asked Questions: Are the Standard Contractual Clauses Enough?

February 2, 2018

The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: If a service provider has already agreed to the controller-processor standard contractual clauses, are you required to put additional GDPR-related contractual provisions in place?

Answer: Yes. The GDPR imposes two requirements when a company (referred to in the GDPR as a “data controller”) uses a service provider (referred to in the GDPR as a “data processor”).

The first requirement is that if a data controller is based in the EEA and is transferring personal data to a processor that is based outside of the EEA, the parties must take steps to ensure that the jurisdiction in which the data is going has “an adequate level of protection.”1 When the GDPR refers to an “adequate level of protection” it is not talking about the security of the data. Instead, it is referring to the protections afforded by the laws of the country to which the data will be transferred.

Under the GDPR, a jurisdiction typically affords data an “adequate level of protection” if one of four factors exist. First, the EU Commission can evaluate the laws of the foreign country and find that they are per se similar in nature to the GDPR. Second, the entity that will be receiving the data can enter into “binding corporate rules.” These refer to internal policies and procedures that have been presented to, and approved by, European data protection authorities.2  Third, a legally binding and enforceable instrument can be created between governments to facilitate the data transfer. An example of such an instrument is the EU-US Privacy Shield framework that was negotiated, and approved by the EU Commission, in 2016.3 Fourth, and most common, is the use by the contracting parties of contract provisions that have been pre-approved by the EU Commission as contractually guaranteeing an “adequate level of protection.”4 While some companies integrate the standard contractual clauses into larger service provider agreements, other contracting parties execute the standard contractual clauses as a free-standing agreement.

The second requirement imposed by the GDPR is that every service provider agreement must contain thirteen specific contractual provisions. Given the popularity of the standard contractual clauses, and the fact that they have been pre-approved by the EU Commission, many contracting parties assume that the standard contractual clauses incorporate all of these thirteen requirements. Unfortunately, they do not. The following chart summarizes the thirteen requirements within Article 28 and indicates which of those requirements are satisfied, partially satisfied, or not addressed by, the standard contractual clauses.

GDPR

Controller-Processor Contractual Clauses

Summary of Requirement

Reference

Requirement Satisfied by Standard Clauses

Explanation

1. Description of Processing.   The contract must specify:

1. subject matter of processing.

2. duration of processing.

3. nature and purpose of processing.

4. type of personal data to be processed

5. categories of data subjects about which the data relates.

(c/p)

Art. 23(3)

Partial Gap

Appendix 1 of the Standard Contractual Clause describes (1) subject matter of processing, (2) nature and purpose of processing, (3) type of personal data, and (4) categories of data subjects.

 

The standard contractual clause, and the Appendix, do not discuss the duration of processing.

 

2. Documented Instructions. A service provider can only process personal data consistent with a controllers documented instructions.

(c/p)

Art. 28(3)(a)

Satisfied.

Clause 5(a) and (b) of the Standard Contractual Clauses contain a requirement that processing can only occur based on a controller’s instructions.

3. Confidentiality. It must contain a confidentiality provision. That provision must ensure that persons authorized to process personal data have committed themselves to confidentiality.

(c/p)

Art. 28(3)(b).

Gap

The Standard Contractual Clauses do not contain a representation by a data importer concerning confidentiality.

4. Processor Security. Service provider will implement appropriate technical and organizational measures to secure information.

(c/p)

Art. 28(1)

Art. 28(3)(c)

Art. 32(1) (

Satisfied.

Clause 5(c) of the Standard Contractual Clauses requires the processor to agree to the security provisions contained in Appendix II.   Presuming that Appendix II contains a description of appropriate security there would be no gap.

5. Subcontracting authorization. A service provider must obtain written authorization before subcontracting, and must inform the Company before it makes any changes to its subcontractors.

(c/p)

Art. 28(2)

Art. 28(3)(d).

Satisfied.

Clauses 5(h) and 11(1) of the Standard Contractual Clauses requires that a processor notify the controller before using a Subprocessor, and obtain their prior written consent.

6. Subcontracting flow down obligations. Service provider will flow down these obligations to any subprocessors.

(c/p)

Art. 28(3)(d) Art. 28(4)

Satisfied.

Clause 11(1) of the Standard Contractual Clauses requires that a processor flow down obligations to any subprocessors.

7. Subcontracting liability. A service provider must remain fully liable to the controller for the performance of a sub-processors obligations..

Art. 28(3)(d)

 

Satisfied.

Clause 11(1) of the Standard Contractual Clauses requires that a processor remain fully liable for the actions of its subprocessors.

8. Responding to data subjects. Service provider will assist the Company to respond to any requests by a data subject.

(c/p)

Art. 28(3)(e)

Art. 12 – 23

Partial Gap

Clause 5(d)(iii) and clause 5(e) of the Standard Contractual Clauses require that a subprocessor notify a controller of a data subject request. The clauses do not specifically discuss an obligation to cooperate in responding to such request.

9. Assisting Controller In Responding to Data Breach.   Service provider will cooperate with controller in the event of a personal data breach.

Art. 28(3)(f) Art. 33 – 34

Gap

Clause 5(d)(ii) require that a processor notify a controller concerning a subset of what the GDPR defines to include a “data breach.” It does not comply with the GDPR’s timing requirements. It also does not discuss obligations to cooperate in investigations and response.  

10. Assisting Controller In Creating DPIA.   Service provider will cooperate with controller in the event the controller initiates a data protection impact assessment.

Art. 28(3)(f)

Art. 35)

Art. 35-36

Gap

The Standard Contractual Clauses do not discuss the obligation of a processor to participate in DPIA’s conducted by a data controller.

11. Delete or return data. Service provider will delete or return data at the end of the engagement.

(c/p)

Art. 28(3)(g)

Satisfied.

Clause 12(1) of the Standard Contractual Clauses requires a processor to delete or return data upon termination of the agreement.

12. Audit Right. Service provider will allow Company to conduct audits or inspections for compliance to these obligations.

(c/p)

Art. 28(3)(h).

Partial

Clauses 5(f) and 12(2) of the Standard Contractual Clauses refer to the ability of the data controller to audit or inspect the processor for compliance with the requirements of the clauses; as the clauses do not include all of the requirements of the GDPR the audit provision is technically narrower than is required under GDPR.

13. Cross-border transfers. Service provider will not transfer data outside of the EEA without permission of Company.

(c/p)

Art. 28(3)(a)

 

Art. 46

Partial

The Standard Contractual Clauses permit the transfer of data from the controller to a processor that is not based in the EEA. The clauses do not discuss whether the processor is permitted to engage in onward transfers to additional countries outside of the EEA.

 


1. GDPR, Art. 45(1).

2. GDPR, Art. 46(2)(b).

3. GDPR, Art. 46(2)(a).

4. GDPR, Art. 46(2)(c).