# EDPB-EDPS Joint Opinion 1/2021 on standard contractual clauses between controllers and processors

- Type: Guidance
- Source: EDPB
- Identifier: edpb-edps-joint-opinion-12021-on-standard-contractual-clauses-between-en
- Date: 2021-01-14
- Original: https://www.edpb.europa.eu/documents/legislative-opinion/edpb-edps-joint-opinion-12021-on-standard-contractual-clauses-between_en
- Canonical: https://overview.legal/posts/126081
- Topics: Public Authority, Public Sector, Data Controller, Data Processor, Accountability, Security, Processors, Data Breaches, Delegation of Powers, International Transfer

## Summary

Adopted 1 EDPB - EDPS Joint Opinion 1 /2021 on the European Commission’s Implementing Decision on standard contractual clauses between controllers and processors for the matters referred to in Article 28 (7) of Regulation (EU) 2016/679 and Article 29 (7) of Regulation (EU) 2018/1725 Adopted 2 Adopted 3 The European Data Protection Board and the European Data Protection Supervisor Having regard to Article 42(2) of the Regulation 2018/1725 of 23 October 2018 on the protection of natural persons…

## Full text

Adopted 1 EDPB - EDPS Joint Opinion 1 /2021 on the European Commission’s Implementing Decision on standard contractual clauses between controllers and processors for the matters referred to in Article 28 (7) of Regulation (EU) 2016/679 and Article 29 (7) of Regulation (EU) 2018/1725 Adopted 2 Adopted 3 The European Data Protection Board and the European Data Protection Supervisor Having regard to Article 42(2) of the Regulation 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (“ EUDPR ”), Hav ing regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 , HAVE ADOPTED THE FOL LOWING JOINT OPINION 1 BACKGROUND 1. In the context of the relationship between a controller and a processor, or processors, for the processing of personal data, the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free mo vement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “ GDPR ”) establishes, in its Article 28, a set of provisions with respect to the setting up of a specific contract between the parties involved , and mandatory provi sions that should be incorporated in it. 2. According to Article 28 (3) GDPR, the processing by a processor shall be governed by a contract or other legal act under Union or Member State law that is binding on the processor with regard to the controller, sett ing out a set of specific aspects to regulate the contractual relationship between the parties. These include the subject - matter and duration of the processing, its nature and purpose, the type of personal data and categories of data subjects, among others . Article 28 (4) provides for additional requirements where a processor engages another processor for carrying out specific processing activities on behalf of the controller. 3. Under Article 28 (6) GDPR, without prejudice to an individual contract between th e controller and the processor, the contract or the other legal act referred in paragraphs (3) and (4) of Article 28 GDPR may be based, wholly or in part , on standard contractual clauses. These standard contractual clauses are to be adopted for those matte rs referred to in paragraphs (3) and (4). 4. Article 28 (7) GDPR provides that the Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2). 5. The EUDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data by the Union institutions and bodies and rules relating to the free movement of personal data between them or to ot her recipients established in the Union. 6. Article 29 (3), (4) and (7) of the EUDPR contain similar requirements as the ones included in Article 28 (3), (4) and (7) of the GDPR. This is justified by the fact that, in the interest of a coherent approach to 1 References to “Member States” made throughout this opinion should be understood as references to “EEA Member States” . Adopted 4 personal data protection throughout the Union and the free movement of personal data within the Union, the data protection rules applicable to the public sector in the Member States and the data protection rules for Union institutions, bodies, offices and agencies were aligned as far as possible. 2 SCOPE OF THE OPINION 7. On 12 November 2020, the Commission published:  a Draft Commission Implementing Decision on standard contractual clauses between controllers and processors for the matters referred to in Articl e 28 (3) and (4) of Regulation (EU) 2016/679 and Article 29 (7) of Regulation (EU) 2018/1725) (the “ Draft Decision ”) ;  a draft Annex to the Commission Implementing Decision on standard contractual clauses between controllers and processors for the matters r eferred to in Article 28 (3) and (4) of Regulation (EU) 2016/679 and Article 29 (7) of Regulation (EU) 2018/1725) (the “ Draft SCCs ”). 8. The same day, the European Commission also published a draft Commission Implementing Decision and its Annex on standard c ontractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679. 9. On 12 November 2020, the European Commission requested a joint opinion of the European Data Protection Board ( EDPB ) and the European Data Protecti on Supervisor ( EDPS ) on the basis of Article 42(1), (2) of Regulation (EU) 2018/1725 (EU DPR) on these two sets of draft standard contractual clauses and the respective implementing acts. 10. For the sake of clarity, the EDPB and EDPS decided to issue two sepa rate opinions on these two sets of SCCs. 11. The scope of this opinion is thus limited to the Draft Decision and Draft SCCs between controllers and processors for the matters referred to in Article 28 (3) and (4) of the GDPR and Article 29 (3) and (4) of the E UDPR. 3 GENERAL REASONING RE GARDING THE DRAFT DE CISION AND THE DRAFT SCC s 3.1 General comments 12. Any set of SCCs must further specify the provisions foreseen in Article 28 GDPR and Article 29 EUDPR. The opinion of the EDPB and the EDPS aims at ensuring consistency and a correct application of Article 28 GDPR as regards the presented Draft SCCs that could serve as standard contractual clauses in compliance with Article 28 (7) GDPR and Article 29 (7) EUDPR. 13. The EDPB and the EDPS are of the opinion that clauses which merely restate the provisions of Article 28(3) and (4) GDPR and Article 29 (3) and (4) EUDPR are inadequate to constitute standard contractual clauses. The Board and EDPS have therefore decided to analyse the document in its entirety, including the append ices. In the opinion of the Board and the EDPS, a contract under Article 28 GDPR or Article 29 EUDPR should further stipulate and clarify how the provisions will be fulfilled. It is in this light that the Draft SCCs submitted to the Board and EDPS for opin ion are analysed. Adopted 5 14. Adopted standard contractual clauses constitute a set of guarantees to be used as is, as they are intended to protect data subjects and mitigate specific risks associated with the fundamental principles of data protection. 15. The EDPB and t he EDPS welcome in general the adoption of standard contractual clauses as a strong accountability tool that facilitates compliance by controllers and processors to their obligations under the GDPR and the EUDPR. 16. The EDPB already issued opinions on standar d contractual clauses prepared by the Danish Supervisory Authority 2 and the Slovenian Supervisory Authority 3 . 17. To ensure a coherent approach to personal data protection throughout the Union, the EDPB and the EDPS strongly welcome the envisaged adoption of SCCs having an EU - wide effect by the Commission. 18. The same set of SCCs will indeed apply irrespective of whether this relationship involves private entities, public authorities of the Member States or EU institutions or bodies. These EU - wide SCCs will en sure further harmonisation and legal certainty. 19. The EDPB and the EDPS also welcome the fact that the same set of SCCs should apply in respect of the relationship between controllers and processors subject to GDPR and EUDPR respectively. 3.2 Explanation of the methodology applied and structure of the document 20. For the sake of clarity, the present opinion comprises (i) a core part detailing general comments the EDPB and the EDPS wish to make and (ii) and an annex where comments of a more technic al nature are made directly to the Draft Decision and the Draft SCCs in order to provide some examples of possible amendments. There is no hierarchy between the general comments and the technical ones . 21. In addition, the main comments on the Draft Decision a nd the Draft SCCs are presented in two separate sections. Where needed, cross - references are made to ensure consistency. 22. For the sake of consistency, where needed, cross - references are also made to the EDPB - EDPS Joint Opinion 02/2021 on standard contrac tual clauses for the transfer of personal data to third countries. 4 ANALYSIS OF THE DRAFT DECISION AND I TS ANNEX 4.1 Main comments on the Draft Decision 4.1.1 On the scope of the Decision and on the articulation with the other set of Draft SCCs on transfers 23. Article 2 of the Draft Decision provides that “ the standard contractual clauses as set out in the Annex may be used in contracts between a controller and a processor who processes personal data on its behalf, where the controller and the processor are subj ect to Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 ”. 2 Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28 (8) GDPR): https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinion_201914_dk_scc_en.pdf . 3 Opinion 17/2020 on the draft Standard Contractual Clauses submitted by the SI SA (Article 28(8) GDPR): https://edpb.europa.eu/our - work - tools/our - documents/opinjoni - tal - bord - art - 64/opinion - 172020 - draft - standard - contractual_en . Adopted 6 24. The EDPB and the EDPS are of the opinion that the current wording of this Article is source of legal uncertainty, as to the situations in which entities will be able to rely on these SCCs . 25. The EDPB and the EDPS understand that the intention of the Commission is that the se SCCs are only meant to cover intra - EU situations and that these clauses should not be relied upon in case of transfer within the meaning of Chapter V . In these cases, parties s hould rather rely on the separate set of standard contractual clauses that has been established for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 and that is also meant at covering Article 28 (3) and 28 (4) GDPR requ irements (“ transfer SCCs ”) . 26. T he EDPB and EDPS consider that the Draft Decision does not provide sufficient clarity to th e parties and the exact scope of the Decision has to be clearly set out and detailed in a specific recital of the Draft Decision , for in stance before the current Recital 10 of the Draft Decision . 27. Moreover, the Board and the EDPS are of the opinion that the current wording of Article 2 of the Draft Decision does not limit the scope to intra - EU situations as controllers or processors subjec t to the GDPR for a given processing activity may be established outside the E U by virtue of Article 3 ( 2 ) GDPR. It should then be clarified whether these SCCs could be relied upon in this situation. 28. Finally, the EDPB and the EDPS are rather of the opinion that the intended limitation to intra - EU situations is not justified. For example, t he EDPB and EDPS do not see any reason to prevent entities from relying on these SCCs – for the sake of complying with Articles 28 (3) and 28 (4) GDPR - if one of the party is not subject to the GDPR for a given processing activity but is located in an adequate country. If the scope of the SCCs is broadened to situations involving transfers outside the EU, it should be made clear to the parties that these SCCs will provide compliance with the requirements under Article 28 (3) and 28 (4) GDPR or 29 (3) and 29 (4) EUDPR but not all the requirements deriving from the GDPR or the EUDPR, for instance on the rules related to international transfers. 29. In the view of the EDPB and the EDPS, it is also important to clearly explain in the Decision the articulation and interplay between this set of SCCs and the transfer SCCs . It should be made clear to the parties, already in the decision, that when parties intend to b enefit from SCCs both under Article 28 (7) GDPR and 46 (2) c GDPR, then parties need to rely on transfer SCCs. 4.2 Main comments on the Annex to the Commission implementing decision 4.2.1 Purpose and scope (Clause 1 of the Draft SCCs ) 30. Clause 1 (a) of the Draft SCCs specifies that the purpose of the SCCs is to ensure compliance with the GDPR and the EUDPR. The EDPB and EDPS are of the opinion that parties to the contract when signing the clauses should be able to choose to select either references to the GDPR or the EUDPR depending on the relevant Regulation applicable to their situation. 31. This way, entities using SCCs under Article 28 GDPR would have no reference to the EUDPR in their SCCs and entities relying on Article 29 EUDPR would avoid the references to the GDP R. This would contribute to bring clarity in the relations between the parties that are often less familiar with such regulations. If so, the SCCs should specify that such choice is possible and adapt the drafting of the SCCs accordingly. 32. As provided for in Clauses 1 (b) and (c) , and in accordance with Clause 5 (Docking clause), several controllers and processors, listed in Annex I , can be parties to the SCCs for the processing specified in Annex II . The EDPB and EDPS believe that, in such case of multipl e parties to the contract, the SCCs (and their Annexes) should require from parties to further detail and delimit the allocation of Adopted 7 responsibilities and indicate clearly which processing is carried out by which processor(s) on behalf of which controller(s) and for which purposes. The current formulation of these clauses of the SCCs and the Annexes may lead to confusion as to the qualification and role of each entity with respect to a given processing operation, especially given the possibility to include a docking clause. 4.2.2 Invariability (Clause 2 of the Draft SCCs ) 33. According to Clause 2 (b) of the Draft SCCs , the parties undertake not to modify them unless additional clauses “ do not contradict, directly or indirectly ” the SCCs. To provide controllers and pro cessors with legal certainty, the EDPB and EDPS would welcome clarifications on the type of clauses that the European Commission would consider as contradicting directly or indirectly SCCs. Such clarification could for instance indicate that clauses contra dicting SCCs would be those that undermine or negatively impact the obligations in the SCCs or prevent compliance with the obligations contained the SCCs. For example, clauses allowing processors to use the data for its own purposes would be contrary to the obligation of the processor to process personal data only on behalf of the controller, and for the purposes and by the means identified by the latter . 4.2.3 Docking clause (Clause 5 of the Draft SCCs ) 34. Clause 5 of the Draft SCCs allows, as an option, any en tity to accede to the SCCs and therefore to become a new party to the contract as a controller or as a processor. As already mentioned above , the qualification and the role of such new party to the contract should appear clearly in the Annexes by requestin g parties to further detail and delimit the allocation of responsibilities and indicate clearly which processing is carried out by which processor(s) on behalf of which controller(s) and for which purposes . 35. Clause 5 (a) makes the accession of new parties to the SCCs conditional upon the agreement of all the other parties. In order to avoid any difficulties in practice, the EDPB and EDPS would welcome a clarification on the way such agreement could be given by the other p arties ( whether it should be in writing or not, the deadline to provide such agreement, the information needed before agreeing). Also, the EDPB and EDPS would welcome clarification as to whether and how such agreement has to be given by all the parties, ir respective of their qualification and role in the processing. 4.2.4 Obligations of the Parties (Clause 7 of the Draft SCCs ) 36. Although the title of this clause is “Obligations of the Parties”, Clause 7 (a) in its current form only makes reference to obligations i mposed on the processor. Article 28(3) GDPR specifies that the controller/processor contract shall set out the rights, but also the obligations, of the controller. Consequently, the EDPB and EDPS suggest that a reference is added to this clause to the obli gations imposed on the controller, for the purposes of completeness and enhanced clarity. For instance, the following sentence could be added before Clause 7 (a): “ The data controller has the right and obligation to make decisions about the purposes and me ans of the processing of personal data and is responsible for ensuring that the processing of personal data takes place in compliance with the applicable EU or Member State data protection provisions and the Clauses (including ensuring that the processing of personal data which the processor is instructed to perform relies on a legal basis pursuant to Article 6 GDPR or Article 5 EUDPR) ” . 37. Clause 7 (a) also provides that instructions should be specified in Annex IV and that subsequent instructions may also be given by the controller. The possibility for the controller to give “ subsequent instructions ” is necessary to fully implement the rights and obligations of the parties set out in the Adopted 8 SCCs, but is not unlimited. Any subsequent instruction should be in line with the respective rights and obligations of the parties set out in the SCCs. The EDPB and the EDPS consider that this should be clearly specified in the Clause. 38. Additionally, in order to enhance consistency with the text of 28 (3) ( a ) of the GDPR and Article 29 ( 3 ) ( a ) of the EUDPR and to include such obligation directly in the contract , the EDPB and the EDPS suggest amending the end of the first sentence of Clause 7 (a) with the following underlined wording: “ The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, u nless that law prohibits such information on important grounds of public interest ”. 39. Concerning the event of unlawful instructions given by the controller, described by Article 28 (3) subparagraph 2 GDPR, the EDPB and EDPS are of the opinion that the cont ract between the controller and the processor should include some more precise information as to the consequences and solutions envisioned in case the processor informs the controller that, in its opinion, the instruction infringes the GDPR or other applic able data protection provisions. Therefore, the European Commission should invite the parties to include further details about the consequences of the notification of an infringing instruction in the contract (e.g. a clause on the possibility for the proce ssor to suspend the implementation of the affected instruction until the controller confirms, amends or withdraws its instruction, a clause on the termination of the contract in case the controller persists with an unlawful instruction). 40. Concerning the options available to the controller pursuant to Clause 7.2 relating to e rasure or return of data , the EDPB and EDPS call on the European Commission to specify in the Clause itself that the controller should be able to modify the choice made at the time of signature of the contract throughout the life cycle of the contract and upon termination. 41. As a general comment on Clause 7.3 relating to the security of processing , the EDPB and EDPS note that all obligations lie on the processor without specifying the rol e of the controller in particular regarding the assessment of the risk which must be performed for security measures in consideration of the purpose of the processing set by the controller. In some cases, the processor might not be aware of the exact purpo se of the processing, for instance when hosting data. Therefore, and in accordance with the provision of Article 28.3 of the GDPR, the EDPB and EDPS are of the opinion that the C lause should be completed with the obligations applying with respect to the se curity of the processing to the controller which, in particular, has to provide all useful information to the processor to comply with the relevant requirements in this respect . 42. Clause 7.3 (a) of the Draft SCCs provide s that the processor has 48 hours at t he latest to notify the controller of a personal data breach . Such delay may be short in some situations and may also trigger confusion with the delay in which the controller has to notify the personal data breach to the SA (which starts when the controller is aware of it, i.e.; when the processor notifies him). While taking into account the requirement for the processor to notify the controller “ without undue delay ” after becoming aware of the personal data breach in accordance with Article 33.2 GDPR, t he EDPB and EDPS suggest to leave the parties to provide the appropriate timeframe to meet this requirement, depending on the specific situation . T he parties should thus be requested to specify in the SCCs the timeframe agreed for such notification . 43. Clause 7.4 (c) of the Draft SCCs provides for the possibility for the controller, in order to conduct audits, to rely on an independent auditor mandated by the processor. This provision is not foreseen Adopted 9 in Art ic le 28 (3) (h) GDPR and needs to be aligned with this article which provides that the processor has to allow for and contribute to audits, including inspections, that are conducted by the controller or another auditor mandated by the controller. As such, th e processor might propose an auditor, but the decision about the auditor has to be left to the controller according to Art icle 28 (3) (h) of the GDPR. 44. Clause 7.4 (c) also states that where the controller mandates an independent auditor, it shall bear the costs, and where the processor mandates an audit, it has to bear the costs of the independent auditor. As the issue of allocation of costs between a controller and a processor is not regulated by the GDPR, the EDPB and the EDPS are consequently of the opinion that any reference to the costs should be deleted from this clause. 45. With regard to Clause 7.7 on international transfers, and more specifically concerning the situation where a processor relies on a sub - processor in a third country, the ED PB and the EDPS express the view that point (b) could be more explicit as to the possibility for these two parties to sign one single set of SCCs which aims at compliance both with Chapter V and Article 28(4) GDPR, if this is indeed the goal this clause wo uld like to achieve, which would require further clarification. Also it should be clarified whether parties then need to rely on this set of SCCs or rather on the transfer SCCs also providing safeguards under Art icle 28 (3) and (4) of the GDPR. 46. Additionall y, the EDPB and the EDPS would like to highlight that while Clause 7.7 (b) only refers to the use of the transfer SCCs, several other transfer tools could be legitimately relied upon for framing the transfers from the processor to a sub - processor in a thir d country , and thus suggest using a more generic formulation referring to transfer tools under Article 46 GDPR . 47. The EDPB and the EDPS also identified the need to further clarify the last part of point (b) of Clause 7.7, referring to “ the conditions for the use of ” the transfer SCCs . As this provision suggests that there may be specific conditions for the use of the transfer SCCs , there is a need to specify what these conditions are. 4.2.5 Data Subject rights (Clause 8 of the Draft SCCs ) 48. The clause is currently entitled “ Data Subject rights ” but it is the opinion of the EDPB and the EDPS that the title does not reflect the content of the clause. 49. Clauses 8 ( a) and 8 ( b) of the Draft SCCs indeed refer to the processor’s obligation to provide assistance with contro ller's obligations to respond to requests for exercising data subject's rights laid down in Chapter III of the GDPR and Chapter III of the EUDPR. However, C lauses 8 ( c) and 8 ( d) refer to the assistance of the processor with other types of controller's obl igations, in particular under Articles 32 to 36 GDPR and Articles 33 to 41 EUDPR. 50. The EDPB and the EDPS therefore suggest to change the title of this clause to " Assistance to the controller " to reflect the different assistance that the processor needs to p rovide. 51. As an alternative, the EDPB and EDPS would recommend to the Commission to split the clause in two to distinguish between the assistance that the processor needs to provide:  with controller's obligations to respond to requests for exercising data s ubject's rights laid down in Chapter III of the GDPR and Chapter III of the EUDPR and  with controller's obligations under Articles 32 to 36 GDPR and Articles 33 to 41 EUDPR. Adopted 10 52. Also, Clause 8 ( a) of the Draft SCCs provides that “ the data processor shall promp tly notify the data controller about any request received directly from the data subject. It shall not respond to that request itself, unless and until it has been authorised to do so by the data controller ”. 53. The EDPS and EDPB are of the opinion that this clause should:  further specify that the responses to data subjects shall be made in accordance with the controller’s instructions (e.g. on content of the response) as set out in Annex IV ;  further specify that the scope of processor’s obligation relating to the exercise of data subject’s rights on behalf of the controller should be described and clearly set out in Annex VII. 54. Clause 8 ( c) ( 1 ) as well as C lause 9 ( a) require to specify the Superviso ry Authority which is competent but does not envisage the case where there are several controllers parties to the contract and thus several competent supervisory authorities. Therefore, t he possibility to mention several competent supervisory authorities should be added. In addition, there may be cases where the processing subject to the clauses is cross - border and a lead Supervisory Authority is to be identified as competent Supervisory Authority. This should also be reflected in C lauses 8 ( c) ( 1 ) and 9 ( a). 55. The EDPB and EDPS suggest that , in case processors within the EU are bound by third country laws or practices affecting the compliance with these Clauses , the Commission should assess whether an additional clause to addr ess these cases is appropriate. 4.2.6 Annexes to the Draft SCCs 56. The SCCs are designed to be used for data processing agreements, which may involve more than one party as a controller and/or more than one party as a processor. This implies the risk that, if the Annexes are not filled out approp riately, the responsibilities of the parties are blurred. This risk increases where new parties subsequently join the contract by using the Docking Clause and/or the contract covers processing for different purposes or under different circumstances. 57. The ED PS and EDPB are of the opinion that it is of utmost importance that the Annexes to the SCCs delimit with absolute clarity the roles and responsibilities of each of the parties in each relationship and with regard to each processing activity. This is necess ary for the parties to be able to determine who is processing which personal data for whom and for what purpose, and what instructions are applicable and who is allowed to give instructions. Any ambiguity would make it impossible for controllers or process ors to fulfil their obligations under the accountability principle. 58. Where the parties providing or using certain processing services, the description (details) of the processing, the applicable technical and organizational measures, the instructions from t he controller concerning the processing of personal data, the specific restrictions and/or additional safeguards concerning data of special category , the authorized sub - processors, and/or the technical and organisational measures by which the processor is required to assist the controller differ, the parties should be required to complete further Annexes I to VII, unless the differences are very limited and the exceptions clearly described in the Annexes. 59. In the case of a complex contract, which for example comprises several parties or several purposes, it must always be clear which Annex (or in case of limited deviations in one single Annex: which stipulation of such Annex) applies to which specific situation or relation. It is necessary to clearly identify and distinguish the different processing activities. *** Adopted 11 For the European Data Protection Supervisor The European Data Protection Supervisor (Wojciech Wiewiorowski) For the European Data Protection Board The Chair (Andrea Jelinek)

---
Generated by overview.legal · https://overview.legal/posts/126081 · 2026-07-17
