On 12 November 2020, the European Commission released its first draft set of clauses covering the Article 28 GDPR requirements, for consultation (available here).
Article 28 of the GDPR governs the relationship between controllers and processors. In particular, Articles 28(3) and (4) outline the details that must be included in a data processing agreement between a controller and a processor (e.g. purpose and duration of processing, details of the measures used to ensure security of data) as well as the obligations that apply to the processor (e.g. processing only on the documented instructions of the controller, implementation of security measures, assistance).
The clauses offer a useful insight into the Commission’s expectations on data processing agreements, which should assist organisations with any review (and, if required, development) of their data processing agreement templates.
Some provisions in the draft clauses (such as international transfers) have not been developed further, whereas others (such as the data breach notification provisions) have been expanded, meaning that (if adopted) they may impose additional requirements for processors. There are opportunities to comment on any such additional requirements during the consultation period.
Once finalised, the Article 28 clauses will not be mandatory but will be approved by the Commission to meet the requirements for agreements between controllers and processors under Article 28. The clauses may be supplemented with additional provisions, as long as they are non-conflicting.
Conclusion
While the Article 28 clauses do not, of themselves, require a re-papering of data processing agreements, it is prudent for organisations to consider whether their standard data processing agreements differ from the draft Article 28 clauses, and if so whether those differences can be justified, taking into account the circumstances of the processing.
The draft Article 28 clauses are open for consultation until 10 December 2020. If you are interested in submitting your comments, you can do so my accessing this link.
Keep an eye on our blog for further updates!