On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here).

The current SCCs were adopted by the Commission before the GDPR came into force.  The CJEU’s decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will repeal the current SCCs. Data controllers and processors alike will therefore need to re-paper their agreements.

The main changes introduced by the draft SCCs are summarised below.

Continue Reading European Commission releases draft updated standard contractual clauses

On 12 November 2020, the European Commission released its first draft set of clauses covering the Article 28 GDPR requirements, for consultation (available here).

Article 28 of the GDPR governs the relationship between controllers and processors. In particular, Articles 28(3) and (4) outline the details that must be included in a data processing agreement between a controller and a processor (e.g. purpose and duration of processing, details of the measures used to ensure security of data) as well as the obligations that apply to the processor (e.g. processing only on the documented instructions of the controller, implementation of security measures, assistance).

The clauses offer a useful insight into the Commission’s expectations on data processing agreements, which should assist organisations with any review (and, if required, development) of their data processing agreement templates.

Continue Reading European Commission publishes draft Article 28 clauses for consultation