Insights

Data Privacy FAQs: How do the new Article 28 clauses fit with the new SCCs? Are both needed for a non-EU processor?

Data Privacy FAQs: How do the new Article 28 clauses fit with the new SCCs? Are both needed for a non-EU processor?

22 July 2021
Download PDFDownload PDF
Print
Share

Summary

In short, no.  It is not necessary to use both the new SCCs and the new Article 28 clauses at the same time.

What are the European Commission approved Article 28 clauses?

Whilst the European Commission’s new standard contractual clauses (“SCCs”) for transfers to third countries (the “new SCCs”) received most of the fanfare when published on 4 June 2021, that date also saw the publication of a set of model processing clauses for use between controllers and processors (the “Article 28 SCCs”).

The Article 28 SCCs provide standard terms covering the content which must be included within data processing agreements between controllers and processors, pursuant to Article 28 of the General Data Protection Regulation (2016/679) (the “EU GDPR”). They provide a ready-made, EU GDPR compliant, off the shelf solution for parties wishing to enter into data processing agreements who, for example, don’t have a pre-existing approach to such contracts and their use is entirely voluntary. As far as the UK is concerned, the Article 28 SCCs have no status under the UK GDPR. 

When can you use the Article 28 SCCs and when do you need to use the new SCCs?

The Article 28 SCCs are only relevant to use in a controller-processor relationship that does not involve any outbound transfers of personal data to third countries. When data export to third countries is involved, the new SCCs offer the benefit of incorporating Article 28 GDPR compliant language within the controller – processor module, meaning that EEA based controllers may transfer personal data to a third country based processor without any need to enter into a separate data processing agreement or the Article 28 SCCs.

If you have any questions, please contact a member of the Data Privacy & Security Team for further information.

Related Practice Areas

  • Data Privacy & Security