European Commission Standard Contractual Clauses Article 28
The European Union (EU) has strict regulations when it comes to the processing of personal data of its citizens. The General Data Protection Regulation (GDPR) came into effect in May 2018 as the most comprehensive data protection regulation in the EU. One of the key requirements under GDPR is that businesses that handle EU citizens` personal data must have adequate safeguards in place to protect such data.
The European Commission Standard Contractual Clauses (SCCs) are one of the primary mechanisms that businesses use to ensure they are compliant with GDPR when transferring personal data outside the EU. These clauses are model contracts that provide a standard set of data protection terms for companies that transfer personal data outside the EU in a legally binding manner. The main goal of SCCs is to ensure that personal data is adequately protected when transferred to countries or organizations that do not have the same level of data protection as the EU.
Article 28 of the SCCs lays out the obligations of the data importer (the organization receiving the personal data) and the data exporter (the organization transferring the personal data) with respect to the processor. The processor is a third-party entity that processes personal data on behalf of the data importer. The processor may be a sub-processor of the data importer or an external service provider.
Article 28 requires that the data importer ensures that all processors comply with the data protection obligations laid out in the SCCs. This means that the data importer must ensure that the processor has adequate technical and organizational measures in place to protect the personal data.
The data exporter, on the other hand, must ensure that the data importer has provided the necessary information about the processor to ensure compliance. This includes verifying that the processor is aware of their obligations under the SCCs and ensuring that they have put in place the necessary measures to protect the personal data. The data exporter is responsible for ensuring that the processor complies with these obligations.
Both the data exporter and the data importer are required to maintain records of all processing activities carried out on behalf of the data importer. This includes details of the data processed, the purposes of the processing, the categories of data subjects involved, and details of any transfers of personal data to third countries.
In summary, Article 28 of the SCCs lays out the obligations of data importers and exporters concerning the processing of personal data by a processor on behalf of the data importer. Adherence to the SCCs is crucial for businesses operating in the EU or processing EU citizens` personal data to ensure that they remain compliant with GDPR. Failure to comply can result in hefty fines and reputational damage.