COMMISSION IMPLEMENTING DECISION
of 4.6.2021
on standard contractual clauses between controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)[1], and in particular Article 28(7) thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) N 45/2001 and Decision No 1247/2002/EC (EUDPR)[2], and in particular Article 29(7) thereof,
Whereas:
(1) The concepts of controller and processor play a crucial role in the application of Regulation (EU) 2016/679 and of Regulation (EU) 2018/1725. The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purpose of Regulation (EU) 2018/1725, a controller means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by the Union. A processor is the natural or legal person, public authority, agency or other body, which processes personal data on the controller’s behalf.
(2) The same set of standard contractual clauses should apply in respect of the relationship between data controllers and data processors subject to Regulation (EU) 2016/679 and also when they are subject to Regulation (EU) 2018/1725. This is because, in order to have a coherent approach to personal data protection throughout the Union and the free movement of personal data in the Union, the data protection rules in Regulation (EU) 2016/679, applicable to the public sector in the Member States, and the data protection rules in Regulation (EU) 2018/1725, applicable to Union institutions, bodies, offices and agencies, have, as far as possible, been aligned with each other.
(3) To ensure compliance with the requirements of Regulations (EU) 2016/679 and (EU) 2018/1725, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which meet the requirements of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, including for the security of processing.
(4) The processing by a processor is to be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the elements listed in Article 28(3) and (4) of Regulation (EU) 2016/679 or Article 29(3) and (4) of Regulation (EU) 2018/1725. That contract or act shall be in writing, including in electronic form.
(5) In accordance with Article 28(6) of Regulation (EU) 2016/679 and Article 29(6) of Regulation (EU) 2018/1725, the controller and processor may choose to negotiate an individual contract containing the compulsory elements set out in Article 28(3) and (4) of Regulation (EU) 2016/679 or Article 29(3) and (4) of Regulation (EU) 2018/1725, respectively, or to use, in whole or in part, standard contractual clauses adopted by the Commission pursuant to Article 28(7) of Regulation (EU) 2016/679 and Article 29(7)of Regulation (EU) 2018/1725.
(6) The controller and processor should be free to include the standard contractual clauses in this Decision in a broader contract, and to add other clauses or additional safeguards provided that they do not directly or indirectly contradict the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects. Use of the standard contractual clauses is notwithstanding any contractual obligations of the controller and/or processor to ensure respect for applicable privileges and immunities.
(7) The standard contractual clauses should encompass both substantive and procedural rules. In line with Article 28(3) of Regulation (EU) 2016/679 and Article 29(3) of Regulation (EU) 2018/1725, the standard contractual clauses should also require the controller and processor to set out the subject matter and duration of the processing, its nature and purpose, the type of personal data concerned, the categories of data subjects and the obligations and rights of the controller.
(8) Pursuant to Article 28(3) of Regulation (EU) 2016/679 and pursuant to Article 29(3) Regulation (EU) 2018/1725, the processor has to inform the controller immediately if, in its opinion, an instruction of the controller infringes Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, or other Union or Member State data protection provisions.
(9) If a processor enlists another processor to carry out specific activities, the specific requirements referred to in Article 28(2) and (4) of Regulation (EU) 2016/679 or Article 29(2) and (4) of Regulation (EU) 2018/1725 should apply. In particular, a prior specific or general written authorisation is required. Whether this prior authorisation is specific or general, the first processor should keep a list of other processors up to date.
(10) To fulfil the requirements of Article 46(1) of Regulation (EU) 2016/679, the Commission adopted standard contractual clauses pursuant to Article 46(2)(c) of Regulation (EU) 2016/679. Those clauses also fulfil the requirements of Article 28(3) and (4) of Regulation (EU) 2016/679 for data transfers from controllers subject to Regulation (EU) 2016/679 to processors outside the territorial scope of application of that Regulation or from processors subject to Regulation (EU) 2016/679 to sub-processors outside the territorial scope of that Regulation. These standard contractual clauses cannot be used as standard contractual clauses for the purpose of Chapter V of Regulation (EU) 2016/679.
(11) Third parties should be able to become a party to the standard contractual clauses throughout the life cycle of the contract.
(12) The operation of the standard contractual clauses should be evaluated, as a sub-part of the periodic evaluation of Regulation (EU) 2016/679 referred to in Article 97 of that Regulation.
(13) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(1) and (2) of Regulation (EU) 2018/1725 and delivered a joint opinion on 14 January 2021[3], which has been taken into consideration in the preparation of this Decision.
(14) The measures provided for in this Decision accord with the opinion of the Committee established under Article 93 of Regulation (EU) 2016/679 and Article 96(2) of Regulation (EU) 2018/1725.
HAS ADOPTED THIS DECISION:
Article 1
The standard contractual clauses as set out in the Annex fulfil the requirements for contracts between controllers and processors in Article 28(3) and (4) of Regulation (EU) 2016/679 and of Article 29(3) and (4) of Regulation (EU) 2018/1725.
Article 2
The standard contractual clauses as set out in the Annex may be used in contracts between a controller and a processor who processes personal data on behalf of the controller.
Article 3
The Commission shall evaluate the practical application of the standard contractual clauses set out in the Annex on the basis of all available information as part of the periodic evaluation provided for in Article 97 of Regulation (EU) 2016/679.
Article 4
This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 4.6.2021
For the Commission
The President
Ursula VON DER LEYEN
[1] OJ L 119, 4.5.2016, p. 1.
[2] OJ L 295, 21.11.2018, p. 39.
[3] EDPB – EDPS Joint Opinion 1/2021 on the European Commission’s Implementing Decision on standard contractual clauses between controllers and processors for the matters referred to in Article 28 (7) of Regulation (EU) 2016/679 and Article 29 (7) of Regulation (EU) 2018/1725