On June 4, 2021, the EU Commission released two new contract templates, both labeled Standard Contractual Clauses (SCCs). The first template is for standard contractual clauses between controllers and processors under Article 28 of the GDPR, and its adoption is optional. The second template is for module-based standard contractual clauses for personal data transfers to non-adequate countries, and its adoption is required. With GDPR compliance as our top priority, Platform.sh has adopted both.
While organizations are free to adopt their own version of an Article 28 DPA, Platform.sh decided to adopt the EU Commission’s official, standardized template and labeled it as our “EU DPA.” We use this for EU-to-EU and EU-to-adequate-country transfers. By adopting the EU Commission’s template, as suggested by Article 28(7) of the GDPR, we assure the strictest data protection coverage and avoid custom changes.
The SCCs for transfers to non-adequate countries are designed to ensure that a data importer in a non-adequate country has implemented appropriate safeguards to protect the personal data transferred outside of the EU, and that data subjects have enforceable rights and effective legal remedies. We use the official, standardized, module-based SCC templates as required by the European Commission, and choose the appropriate module based on the parties’ relationship.
These SCCs are only to be used for EU-to-non-adequate-country transfers, not for EU-to-EU or EU-to-adequate-country transfers.
The European Commission published the finalized Article 28 standard contractual clauses, known as the EU DPA, for use between controllers and processors within the EU and adequate countries. While not mandatory, the standardized EU DPA now operates as a benchmark for what is expected in custom DPAs going forward.
The EU DPA clauses cannot be modified, except for adding or updating information to the Annexes. However, additional clauses can be added, or the clauses themselves can be added to a larger agreement. In the event of a conflict between the EU DPA clauses and additional clauses, the EU DPA clauses will prevail.
Other highlights of the new EU DPA include an optional docking clause, which enables new parties to accede to the clauses at any time, a silence on the issue of who should bear the costs of an audit, two options for the use of sub-processors (prior specific authorization or general written authorization), and four annexes (list of parties to the agreement, detailed description of the data processing, technical and organizational measures, and a list of sub-processors) that must be completed by the parties.
The European Commission updated the SCCs to address more complex processing activities, GDPR requirements, and the Schrems II decision. Updates include requirements to implement additional transparency and notification measures surrounding government access requests, and to carry out and document an assessment of the laws of the non-adequate country to confirm that the local law in the importing country does not prevent compliance with the SCCs.
Since the new SCCs are modular, they are tailored to the specific type of transfer. Previously, SCCs applied only to controller-controller and controller-processor relationships from the EU to countries without adequacy. The updated clauses are expanded to include processor-processor and processor-controller transfers.
Our new EU DPA is only applicable to customers who use Platform.sh to process European Economic Area (EEA) personal data. For these customers, no action is required. This DPA automatically became part of your agreement with us on September 27, 2021.
If you have previously negotiated a separate DPA with Platform.sh that includes the prior version of the SCCs, those SCCs will remain effective until December 27, 2022, according to the European Commission’s Implementing Decision. If you would like to update them prior to that point, please contact your account representative. After this date, you will fall under our new EU DPA. If your existing DPA with a prior version of the SCCs has language which automatically allows for it to supersede newer revisions, the last day to sign a new agreement with Platform.sh is December 27, 2022.
The SCCs are designed for an EU-to-non-adequate-country transfer, not a non-adequate-country-to-EU transfer or an EU-to-EU transfer. Our customers are the controllers in our relationship and entrust us with their data. Therefore, for our direct customers in non-adequate countries, the SCCs do not apply to our relationship, as this is a non-adequate-country-to-EU transfer. We will not sign SCCs where the proposed transfer is from a non-adequate country to the EU, but will sign our standard DPA to ensure adequate levels of protection.
Platform.sh is based in Paris, France and thus is not in a non-adequate country. While we do have entities in non-adequate countries, such as the USA and Australia, remote access by Platform.sh employees in these countries is not considered a “data transfer” per the EDPB Guidelines from 05/21 (though we have completed Supplementary Measures Assessments of these entities regardless). Platform.sh does engage sub-processors/vendors in both adequate countries and non-adequate countries. For these transfers, we ensure that the proper template is executed: Our EU DPA for EU and adequate-country transfers and SCCs with Supplementary Measures Assessments for non-adequate countries. In all cases in which we transfer personal data, we are committed to providing a high level of data protection for all of our customers.
If you would like to know more about our privacy and security, please visit the Trust Center.