The Legal Information Service will be paused for the month of August and will recommence with the bulletin of September 2nd.
We complete the analysis of the EU Commissione 2021/915 decision which adopts the standard clauses between data controllers and data processors, considering their structure and merit in this session.
The art. 28 SCCs are contained in the Annex to the decision which, in turn and with an editorial approach that is not the clearest, contains four annexes:
- Annex I containing the list of parties and their contact information
- Annex II which contains the descriptive elements of the processing operations covered by the contract
- Annex III which indicates the technical and organizational security measures adopted
Annex IV including the list of any sub-processors.
How to use
Similarly to the SCC for transfers to third countries, also the standard clauses pursuant to art. 28 need to be customized, especially for the compilation of annexes I to IV.
Annex I must be signed and dated by the parties and contain the respective contact details of the contact person, bearing in mind that the signature must be affixed by whoever has the power to legally represent the party, while the contact details (and not the signature ) of the contact person refer to the subject chosen by the party for the management of the relationships covered by the contract; in the event that the party has designated a DPO, identification and contact details of the latter must also be reported; please note that the standard clauses have also been conceived for a possible use by several parties who can adhere to them also at subsequent times: in this case the parties that adhere to them will also affix the date and signature and indicate the identification data referred to above.
Annex II contains the description of the processing for each of the processors or sub-processors in terms of categories of data and data subjects, nature and purpose of the processing, retention periods.
Annex III requires a list of the measures actually implemented by each processor or sub-processor to ensure an adequate level of security: it is believed that – in order to satisfy ex post adequacy checks – the annex must be completed by each of them instead of reporting the measures taken cumulatively. The attachment must also contain the technical and organizational measures taken by the processor or sub-processor to ensure assistance to the data controller.
Annex IV must be completed in the case of specific authorization to appoint sub-processors, by entering the same identification and contact data of the sub-processor/s provided in Annex I; unlike Annex I, however, the signature of the sub-processor is not required as he is not part of the contract.
Any changes that may have occurred to the specifications of the attachments require their updating.