Standard Contractual Clauses between Controllers and Processors Located in the EU
In today`s complex world of data-driven business models, data protection and privacy are increasingly important issues. The European Union has established the General Data Protection Regulation (GDPR) to protect the privacy and data of its citizens. The GDPR applies to personal data processed within the EU and to EU citizens whose data is processed by companies outside the EU.
Controllers and processors that process personal data need to comply with GDPR requirements. A controller is the entity that determines the purposes, conditions, and means of the personal data processing, while a processor is the entity that processes personal data on behalf of the controller.
The GDPR requires controllers and processors to establish and maintain a contract containing specific provisions to ensure that the processing of personal data complies with the regulation.
One of the ways to ensure compliance with GDPR is to use the standard contractual clauses (SCCs) between controllers and processors. SCCs are established contract terms that are inserted into contracts between controllers and processors to ensure the protection of personal data.
SCCs are pre-approved by the EU and cover certain situations when personal data is transferred between controllers and processors located in different countries. These contracts are mandatory for any controllers and processors engaged in personal data processing in the EU.
SCCs establish specific obligations and responsibilities for both parties, including:
– The type of personal data to be processed
– The purposes for which the personal data will be processed
– The obligations of the processor to the controller
– The security measures implemented to protect personal data
– The rights and obligations of data subjects
– The obligations of the controller to the processor
– The possibility of the processor to subcontract the processing to a third party
SCCs can be used in bilateral contracts between controllers and processors, or in multi-party contracts between processors. They ensure that personal data is processed in accordance with the GDPR and respect the rights of data subjects.
If a controller or processor fails to comply with the SCCs, the supervisory authority can impose fines or other penalties. Controllers and processors should therefore ensure that they comply with the SCCs and the GDPR in general.
In summary, SCCs are an essential tool to ensure the compliance of controllers and processors with the GDPR. They establish specific obligations and responsibilities for both parties and protect the privacy and data of EU citizens. Controllers and processors should use SCCs to ensure that personal data is processed in compliance with the GDPR, and to avoid penalties and fines by supervisory authorities.
