BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

European Commission Publishes Draft Article 28 Standard Contractual Clauses

The European Commission (Commission) published draft Article 28 standard contractual clauses (Article 28 Clauses) last month for use between controllers and processors when processing personal data in the European Union. Somewhat confusingly, these clauses share the same name as the new Standard Contractual Clauses for personal data transfers out of the EEA, which were also published in November 2020; however, the two are distinct.

As a reminder, Article 28(3) of the General Data Protection Regulation 2016/679 (GDPR) stipulates that “processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller.” It also sets out a number of prescribed processor obligations that must be included in the contract between a controller and a processor.

Under Articles 28(7) and (8) of the GDPR, the Commission and supervisory authorities have the right to adopt standard contractual clauses that comply with Article 28. These Article 28 Clauses are the Commission’s first attempt at adopting such standard contractual clauses and may come as a relief to some businesses.

In the two-and-a–half-year interim between the GDPR coming into effect and the publication of these Article 28 Clauses, businesses and their advisors have had to create bespoke provisions in their applicable agreements in order to comply with the requirements of Article 28(3). As such, many businesses will already have standard provisions to use and may have little to no need for the Article 28 Clauses; however, for some businesses, these Article 28 Clauses may be useful.

The Article 28 Clauses may be of particular use to small businesses that may not have the resources to create bespoke provisions and they may also prove useful to those businesses that already have bespoke provisions in place but want to benchmark their bespoke provisions against, or to augment them with, EU-mandated provisions.

It has been confirmed that controllers and processors will not be obliged to use the Article 28 Clauses so businesses will remain free to use their bespoke provisions.

The public consultation on the Article 28 Clauses ended on 10 December 2020. It is expected that the Commission will publish a finalized set of the Article 28 Clauses in early 2021.

Read the full text of the draft Article 28 Clauses.

Rebecca Agliolo contributed to this blog post.