Data Transfer – Are Standard Contractual Clauses Sufficient?
Are Standard Contractual Clauses Sufficient?
This week’s top tip looks at a very specific area of GDPR – Article 28 to be precise and data transfer
outside of the EEA. One of the ways in which you can legitimise an ex-EEA data transfer is by using
the standard contractual clauses (SCCs).
Article 28 mandates a number of requirements that must be placed on data processors, by data
controllers, via a contract. The question is, are the SCCs sufficient to meet these requirements?
Whilst the SCCs are quite comprehensive, they were drafted before the GDPR came into effect and,
as a result, not all of the requirements of Article 28 are addressed by the SCCs.
So, what can you do?
The challenge with the SCCs is that they have to be used verbatim. Any change to the wording, even if it has no material
effect on the interpretation, means that the parties cannot claim to be using the SCCs. However, it is permissible to add
clauses or incorporate the SCCs in a broader contract ’provided nothing in the other contract or additional clauses alters
the effect of any of the model clauses’.
So, if you are outsourcing data processing to processors outside the EEA and transferring PII, you should supplement,
and not solely rely on, the SCCs. The specific gaps between Article 28 and the SCCs are, broadly speaking, that the SCCs
(and Appendix where applicable) do not:
Address the duration of processing
Contain a requirement for the data importer to commit to confidentiality
Contain a requirement to support the response to a data subject request
Comply with the timing or cooperation requirements relating to a ‘data breach’
Address the processor participating in a DPIA
Address all audit requirements
Address onward transfer of data outside of the EEA.
Alternatively, URM holds free seminars for end-user organisations focusing on information security and business
continuity. For more information regarding URM upcoming events register below.