In short, no. It is not necessary to use both the new SCCs and the new Article 28 clauses at the same time.
What are the European Commission approved Article 28 clauses?
Whilst the European Commission's new standard contractual clauses ("SCCs") for transfers to third countries (the "new SCCs") received most of the fanfare when published on 4 June 2021, that date also saw the publication of a set of model processing clauses for use between controllers and processors (the "Article 28 SCCs").
The Article 28 SCCs provide standard terms covering the content which must be included within data processing agreements between controllers and processors, pursuant to Article 28 of the General Data Protection Regulation (2016/679) (the "EU GDPR"). They provide a ready-made, EU GDPR compliant, off the shelf solution for parties wishing to enter into data processing agreements who, for example, don't have a pre-existing approach to such contracts and their use is entirely voluntary. As far as the UK is concerned, the Article 28 SCCs have no status under the UK GDPR.
When can you use the Article 28 SCCs and when do you need to use the new SCCs?
The Article 28 SCCs are only relevant to use in a controller-processor relationship that does not involve any outbound transfers of personal data to third countries. When data export to third countries is involved, the new SCCs offer the benefit of incorporating Article 28 GDPR compliant language within the controller – processor module, meaning that EEA based controllers may transfer personal data to a third country based processor without any need to enter into a separate data processing agreement or the Article 28 SCCs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.