Grumpy GDPR: Standard Confusing Clauses?

On 25 May, the European Commission gave us a GDPR birthday present: a Q&A document for the 2021 SCCs. Are they really clarifying key issues, or creating more confusion?

Are the "DPA-SCCs" mandatory to use for your data processing agreements (Article 28(3) terms)? Do you have to sign every document part of your contractual setup? If a controller objects to a suggested new sub-processor, do you have to oblige - meaning you can never appoint new ones, ever?  🤔 So many questions! And we try to cover some of these in today's episode.

💡
Did you know that the term "standard contractual clauses", that is, "SCCs", is a generic term in the GDPR? Last year, the Commission published two sets of SCCs: one you can think of as "DPA-SCCs" because these can only be used as a data processing agreement ("DPA") as per Article 28(3) and are intended for use between controllers and processors in the EEA. The second set, what people usually refer to as "SCCs", are for transferring personal data to third countries as a safeguard under Chapter V (specifically Article 46(2)(c)). And to make the confusion complete, data protection authorities can also get SCCs approved, like the Danish one did for Article 28(3) agreements back in 2019 (which can, by the way, still be used!).