Insights

Data Privacy FAQs: How do the new Article 28 clauses fit with the new SCCs? Are both needed for a non-EU processor?

Data Privacy FAQs: How do the new Article 28 clauses fit with the new SCCs? Are both needed for a non-EU processor?

22 July 2021
Download PDFDownload PDF
Print
Share

Summary

In short, no.  It is not necessary to use both the new SCCs and the new Article 28 clauses at the same time.

What are the European Commission approved Article 28 clauses?

Whilst the European Commission’s new standard contractual clauses (“SCCs”) for transfers to third countries (the “new SCCs”) received most of the fanfare when published on 4 June 2021, that date also saw the publication of a set of model processing clauses for use between controllers and processors (the “Article 28 SCCs”).

The Article 28 SCCs provide standard terms covering the content which must be included within data processing agreements between controllers and processors, pursuant to Article 28 of the General Data Protection Regulation (2016/679) (the “EU GDPR”). They provide a ready-made, EU GDPR compliant, off the shelf solution for parties wishing to enter into data processing agreements who, for example, don’t have a pre-existing approach to such contracts and their use is entirely voluntary. As far as the UK is concerned, the Article 28 SCCs have no status under the UK GDPR. 

When can you use the Article 28 SCCs and when do you need to use the new SCCs?

The Article 28 SCCs are only relevant to use in a controller-processor relationship that does not involve any outbound transfers of personal data to third countries. When data export to third countries is involved, the new SCCs offer the benefit of incorporating Article 28 GDPR compliant language within the controller – processor module, meaning that EEA based controllers may transfer personal data to a third country based processor without any need to enter into a separate data processing agreement or the Article 28 SCCs.

If you have any questions, please contact a member of the Data Privacy & Security Team for further information.

Related Practice Areas

  • Data Privacy & Security

Meet The Team

Geraldine Scali

Geraldine Scali

Co-Author, London

+44 (0) 20 3400 4483

Meet The Team

Meet The Team

Geraldine Scali

Geraldine Scali

Co-Author, London

+44 (0) 20 3400 4483
This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.