Standard Contractual Clauses 2021/915 may replace existing data processing agreements

Over the last months, we have been quite busy with the new Standard Contractual Clauses issued by the European Commission on 4 June 2021. We reported on this issue in detail in the June issue of our ePrivacy Newsletter. (link to the article)
While the topic is not entirely new, we can now report on a different aspect of the new Standard Contractual Clauses.
We automatically associate the term “standard contractual clauses” with Art. 46(2)(c) GDPR as an “appropriate safeguard” for the export of data to a third country. However, in addition to the Standard Contractual Clauses 2021/914, another set of clauses was issued..
These clauses, the Standard Contractual Clauses 2021/915, are specifically designed for controller-processor relationships within the EU:

  • The Standard Contractual Clauses 2021/915 can fully replace a data processing agreement.
  • These Standard Contractual Clauses apply to controller-processor relationships.
  • The SCCs 2021/915 do not have any “modules”. However, there optional and alternative, e.g. concerning sub-processors.
  • The annexes must be completed with details about the processing activity in question. For example, the clauses state, “The technical and organisational measures must be described in concrete terms; a general description is not sufficient”.
  • Like in the SCCs 2021/914, there is a “docking clause”. The docking clause allows the later accession of additional parties to the agreement.
  • Sensitive data require separate information on specific TOMs.
  • Clause 10 clarifies, among other things, procedures for breaches of contract. For example, there is a right to suspend the processing or to terminate the agreement, etc.

We would be happy to discuss the details of your inner European data transfers and the significance of these clauses for your data processing with you. Our experts from our DPO team are available to advise you at any time.

Your contact to ePrivacy: