The GDPR provides that a contract between a controller and a processor must contain the mandatory provisions set out in Article 28.3 of the GDPR. These mandatory provisions place a number of obligations on processors, for example, relating to data security, sub-contracting and providing assistance to the controller. Using the Commission clauses (once they have been finalised) will satisfy the requirement to have the mandatory provisions in place.
The vast majority of businesses use processors in one form or another. Examples of processors include payroll providers, cloud storage and IT support providers. If you use a hosted CRM or HR platform then the provider will usually be a processor as well.
The draft clauses should not be confused with the draft standard contractual clauses for international data transfers, which are a separate set of draft clauses which the Commission released at the same time.
The use of the clauses is optional but controllers and processors must make sure that their contract meets the requirements of Article 28 if the model clauses are not used. However, the clauses represent an 'off the shelf' solution which may save the parties the trouble of having to engage in protracted and expensive negotiation in agreeing bespoke processing terms.
The clauses also contain a number of annexes which will assist the parties in completing contract specific particulars.
There was a concern that any draft Commission clauses would seek to go beyond the minimum requirements in the GDPR and some of the provisions do appear to be one step beyond strict GDPR requirements. For example, the clauses state that a data processor must inform the controller about a personal data breach "without undue delay and at the latest within 48 hours after having become aware of the breach". The 48 hour obligation is new and is not something that can be found in the GDPR.
In light of this, controllers and processors may wish to review the clauses carefully before agreeing to contract on their terms.
The GDPR is silent on whether the controller or the processor is responsible for the processor's costs in complying with Article 28 obligations and this is something that has not been addressed in the draft clauses in any meaningful way.
The implication is that the Commission consider costs to be a commercial issue between the parties. However, processors should be aware that in the absence of an agreement, it is likely that the processor will remain responsible for its costs in complying with Article 28, even if the controller is acting unreasonably, for example if the controller makes excessive or unreasonable requests for assistance.
The clauses are still in draft form and it remains to be seen what, if any changes will be made before they are finalised.