Guidelines on Data Breach Notification by the EDPB / Joint opinions on the new draft SCC’s by the EDPB and the EDPS – Legal Monitoring Letter #3

/ Guidelines on Data Breach Notification by the EDPB [1]

On 14 January 2021, was adopted the draft Guidelines 1/2021 on Examples regarding Data Breach Notification by the European Data Protection Board (“EDPB”).

The document is a practice-oriented guidance that apply the experiences gained by supervisory authorities („SA“) of the EEA since the Regulation 2016/679/EU („GDPR“) is applicable. The aim is to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. It organizes 18 cases according to the following categories of breaches:

• Ransomware

• Data exfiltration attacks

• Internal human risk source

• Lost or stolen devices and paper documents

• Mispostal

• Other cases – social engineering

Тhe cases are fictitious but they are based on typical cases from the SA’s collective experience with data breach notifications. Certain mitigating measures are called for in each case when dealing with a certain category of breaches. Theсе measures are not necessarily repeated in each case analysis belonging to the same category of breaches. For the cases belonging to the same category only the differences are laid out. Therefore, all cases relevant to certain category of a breach should be read to be identified and distinguished all the correct measures to be taken.

However, for each case, the Guidelines provide:

• an assessment whether the controller took appropriate prior safety measures to prevent and mitigate the impact of a potential data breach;

• risk assessment: factors that the controller should consider as type of data breach, nature, sensitivity, volume of the personal data concerned, number of data subjects affected, impact and severity of the data breach, potential consequences, etc. 

• mitigation measures that the controller should have taken;

• obligations of the controller: assessment whether is necessary the data breach to be documenting according to Article 33 (5) of the GDPR, notified to the Supervisory Authority and/ or to be communicated to data subjects.

For example, in case 14 the authority is reviewing the situation in which sensitive personal data is sent by mail by mistake:

“The employment department of a public administration office sent an e-mail message – about upcoming trainings – to the individuals registered in its system as jobseekers. By mistake, a document containing all these jobseekers’ personal data (name, e-mail address, postal address, social security number) was attached to this e-mail. The number of affected individuals is more than 60000. Subsequently the office contacted all the recipients and asked them to delete the previous message and not to use the information contained in it.”

• Assessment whether the controller took appropriate prior safety measures: The authority is on the opinion that in this case stricter rules should have been implemented for sending such messages and the introduction of additional control mechanisms need to be considered.

• Risk assessment: The EDPB note that the number of affected individuals is considerable, and the involvement of their social security number, along with other, more basic personal data, further increases the risk, which can be identified as high. The eventual distribution of the data by any of the recipients cannot be contained by the controller.

• Mitigation measures that the controller should have taken: The EDPB explain that the means to effectively mitigate the risks of a similar breach, are limited. Though the controller asked for the deletion of the message, it cannot force the recipients to do so, and as a consequence, nor can it be certain that they comply with the request.

• Obligations of the controller: In this case the EDPB note that is necessary the data breach to be documented, notified to SA and to be communicated to data subjects.

The execution of all three above indicated actions should be self-evident in a case like this.

/ EDPB and EDPS joint opinions on the new sets of SSCs

On 12 November 2020, the European Commission (“Commission”) published:

• a Draft Commission Implementing Decision on SSCs between controllers and processors for the matters referred to in Article 28 (3) and (4) of Regulation (EU) 2016/679 (“GDPR”) and Article 29 (7) of Regulation (EU) 2018/1725) (“EUDPR”) (the “Draft Decision”)

• a draft Annex to the Commission Implementing Decision on SSCs between controllers and processors for the matters referred to in Article 28 (3) and (4) of Regulation (EU) 2016/679 and Article 29 (7) of Regulation (EU) 2018/1725) (the “Draft SCCs”)

The same day, the Commission also published a draft Commission Implementing Decision and its Annex on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.

The Commission requested a joint opinion of the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) on these two sets of draft SSCs and the respective implementing acts.

In this regard, on 15 January 2021, the EDPB and the EDPS have adopted joint opinions on two sets of standard contractual clauses (SSCs):

• Joint Opinion 1/ 2021 on the SSCs for contracts between controllers and processors.

• Joint Opinion 2/ 2021 on the SSCs for the transfer of personal data to third countries.

Below are noted key findings from the Opinions: 

/ Joint Opinion 1/2021 [1]

The opinion consists of:

• a core part detailing general comments;

• an annex where comments of a more technical nature are made directly to the Draft Decision and the Draft SCCs in order to provide some examples of possible amendments.

The scope of the opinion is limited to the Draft Decision and Draft SCCs between controllers and processors for the matters referred to in Article 28 (3) and (4) of the GDPR and Article 29 (3) and (4) of the EUDPR.

Main comments on the Draft Decision

The EDPB and the EDPS understand that the intention of the Commission is that these SCCs are only meant to cover intra-EU situations and should not be relied upon in case of transfer within the meaning of Chapter V of the GDPR (to third countries or international organizations).

Article 2 of the Draft Decision provides that the SSCs as set out in the Annex may be used in contracts between a controller and a processor who processes personal data on its behalf, where the controller and the processor are subject to the GDPR or EUDPR.

In the latter cases, parties should rather rely on the separate set of SSCs that has been established for the transfer of personal data to third countries (“transfer SCCs”).

The EDPB and the EDPS are of the opinion that the current wording of Article 2 of the Draft Decision does not limit the scope to intra-EU situations as controllers or processors subject to the GDPR for a given processing activity may be established outside the EU by virtue of Article 3 (2) GDPR. In their opinion it should be clarified whether these SCCs could be relied upon in this situation.

The EDPB and the EDPS, state that it is also important to clearly explain in the Decision the articulation and interplay between this set of SCCs and the transfer SCCs. It should be made clear to the parties, already in the decision, that when parties intend to benefit from SCCs both under Article 28 (7) GDPR and 46 (2) c GDPR, then parties need to rely on transfer SCCs.

And finally, the EDPB  and the EDPS comment that it is of utmost importance that the Annexes to the SCCs delimit with absolute clarity the roles and responsibilities of each of the parties in each relationship and with regard to each processing activity.

In the case of a complex contract, which for example comprises several parties or several purposes, it must always be clear which Annex applies to which specific situation or relation.

/ Joint Opinion 2/2021 [1]

The Joint Opinion consists of:

• a core part detailing general comments;

• an annex where additional comments of a more technical nature are made directly to the Draft SCCs, in order to provide examples of possible amendments.

Below are noted key findings from the Opinion:

General comments on the Draft Decision and Draft SCCs

The EDPB and the EDPS welcome the fact that the new SCCs strive to:

• bring the SCCs in line with the GDPR.

• better reflect the widespread use of new and more complex processing operations and the evolving business relationships.

• provide for specific safeguards to deal with the effect of the laws of the third country of destination on the data importer’s compliance with the clauses, and in particular how to deal with binding requests from public

[1] https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-22021-standard_en

authorities in the third country for disclosure of the personal data transferred.

Interplay with the EDPB Recommendations on supplementary measures

The authorities recall that the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data will remain relevant after the adoption of the Draft SCCs. EDPB and the EDPS call on the Commission to clarify that there may still be situations where, despite the use of the new SCCs, ad-hoc supplementary measures will remain necessary to be implemented in order to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU.

The draft Decision

References to the EUDPR (Recital (8))

The EDPB and the EDPS understand that the intention of the Commission is that the Draft SCCs should cover processing operations between processors and sub-processors for which the controller is an EU institution, body, office or agency (“EUI”) subject to the EUDPR. The authorities consider that the relevant requirements of the EUDPR should be reflected throughout the entire chain of contracts when a EUI is the controller.

The scope of the Draft Decision and the notion of transfers (Article 1(1))

The EDPB and the EDPS understand that the Draft Decision does not cover transfers to a data importer not in the EEA but subject to the GDPR for a given processing under Article 3(2) GDPR and transfers to international organizations.

The EDPB already clarified in its Guidelines on the territorial scope of the GDPR  that a controller or processor is never subject as such to the GDPR, but only in relation to a given processing activity.

The EDPB already clarified in its Guidelines on the territorial scope of the GDPR that a controller or processor is never subject as such to the GDPR, but only in relation to a given processing activity.

Therefore, the EDPB and the EDPS recommend rephrasing Article 1(1) of the Draft Decision accordingly.

The Draft SCCs

General remark

The EDPB and the EDPS welcome the introduction of specific modular approach. However, the authorities note that it is not clear whether one set of the SCCs can include several modules in practice to address different situations, or whether this should amount to the signing of several sets of the SCCs. In this regard, they suggest that the Commission provides additional guidance.

Clause 1 – Purpose and scope Articulation and interplay between these SCCs and the SCCs pursuant to Article 28(7) GDPR – when parties intend to benefit from SCCs both under Article 28(7) and Article 46(2)(c) GDPR, they need to rely on transfer SCCs.

Clause 2 – Third party beneficiaries

According to Section I, Clause 2, “Data subjects may invoke and enforce these Clauses, as third-party beneficiaries”. However, this right solely applies to the provisions that are not listed under Clause 2.

The EDPB and the EDPS call on the Commission to provide, under this Clause, a list of the rights that are enforceable by data subjects, instead of listing those that are not enforceable. The authorities note that a number of the provisions included in the list provided in Clause 2 should actually be made enforceable by data subjects and should be deleted from that list.

Clause 6 – Docking clause

The EDPB and the EDPS welcome the inclusion of a docking clause in Clause 6 which allows, as an option, any entity to accede to the Draft SCCs and therefore to become a new party to the contract as a controller or as a processor.

The authorities are on the opinion that qualification and the role of the parties to the contract should appear clearly in the Annexes, especially in the case where new parties accede to the contract. Clause 6 (a) makes the accession of new parties to the Draft SCCs conditional upon the agreement of all the other parties. The EDPB and the EDPS would welcome clarifications on the way such agreement could be given by the other parties and whether and how such agreement has to be given by all the parties, irrespective of their qualification and role in the processing.

Resume per Module:

Module One (Transfer controller to controller)

The EDPB and the EDPS call on the Commission

to clarify, if this module is only relevant for independent or separate controllers, or if it could also be used in joint controllership scenarios.

Another issue is that the EDPB and the EDPS consider that the list of elements on which the data importer must provide information to data subjects should further be completed. The clause should be complemented with information on the types of personal data processed by the data importer, and the period for which personal data will be stored by the latter (or criteria used to determine it) and specify the timing in which the data importer shall provide the information to data subjects.

The EDPB and the EDPS also notes that obligations of the data importer under this clause raise several issues and some clarifications/ amendments are necessary.

Module Two (Transfer controller to processor)

The EDPB and the EDPS are of the opinion that in several places the wording in the module conflicts with Article 28 of the GDPR. For example, Clause 1.5 of the Draft SCCs stipulates that upon termination of the provision of the processing services, the data importer shall delete all personal data processed on behalf of the data exporter or return to the data exporter all personal data processed on its behalf and delete existing copies.

The EDPB and the EDPS are of the opinion that this wording conflicts with Article 28(3)(g) GDPR which provides for that deletion or returning takes place “at the choice of the controller”. The authorities note that Clause 1.5 should provide for that deletion or returning of personal data to take place at the choice of the data exporter acting as a controller to avoid any ambiguity that such choice is not up to the data importer acting as a processor.

Module Three (Transfer processor to processor)

The EDPB and the EDPS are of the opinion that the Commission needs to clarify whether the controller has to sign the clauses, or whether the processor and sub-processor only need to mention the identity of the controller in the Annex.

Other issues that are reviewed by the authorities in this module are related to storage limitation and erasure or return of data, security of processing and special categories of personal data.

Module Four (Transfer processor to controller)

The EDPB and the EDPS recognize that the scope of Module Four includes only transfers from a processor subject to GDPR to its own controller not subject to GDPR and excludes transfers from such a processor to any other controller. The authorities recommend a short explanation of the limited scope of Module Four and the inclusion in the module of all the necessary provisions of Article 28 GDPR directly applicable to the processor.

Horizontal remarks – Clause 2 and Clause 3

The EDPB and the EDPS note that the scope of Clause 2 and 3 should be clarified.

Clause 2 – Local laws affecting compliance with the Clauses

Objective assessment of the legislation of the third country:

The EDPB and the EDPS stress that the assessment of whether there is anything in the law or practice of the third country of destination, which prevents the data importer from fulfilling its obligations under the Draft SCCs in the context of the specific transfer, should be based on objective factors, regardless of the likelihood of access to the personal data.

New annex to be added to the Draft SCCs:

Тhe authorities recommend to add an annex to the Draft SCCs to require the parties to document, prior to the signature of the contract, thе assessment led under Clause 2 (i.e., the assessment of the third country’s legislation and practices in the light of the circumstances of the transfer).

Consultation of the SA on supplementary measures:

Тhe authorities note that it is the responsibility of the data exporter, with the assistance of the data importer, to identify supplementary measures in addition to SCCs and underline that there is no express legal basis in the GDPR according to which the supervisory authority would have to provide for such kind of consultation.

Clause 3 – Obligations of the data importer in case of government access requests

The EDPB and the EDPS recommend clarifying that access requests from courts and other public authorities of the third country fall within the scope of this provision.

Clause 5 – Data subject rights

The authorities are analyzing Clause 5 and note that some clarifications are necessary.

Clause 6 – Redress

The EDPB and the EDPS would welcome clarification in the Draft SCCs as to whether the option to offer data subjects the possibility to seek redress before an independent dispute resolution body, at no cost, has to be provided in all sets of clauses.

As for the clauses on redress envisaged in Modules One, Two, and Three (Clause 6(b)), the authorities are of the opinion that it should be made clearer that the data importer shall accept the right of the data subject (who invokes his or her rights as a third party beneficiary) to lodge directly a complaint with an EEA SA and/or bring a claim before an EEA court without the need to seek an amicable resolution of the dispute in advance.

Clause 7 – Liability

Modules One and Four:

The EDPB and the EDPS note that the joint and several liability towards the data subject would only be triggered in case there is a shared responsibility. The liability regime envisaged in the Draft SCCs does not provide for a full joint and several liability where each party would be responsible for the damage solely caused by the other party.

The authorities would like to recall that the Draft SCCs should incorporate effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law.

Modules Two and Three:

The possibility to seek the liability of the data exporter for any material or non-material damages caused by the data importer should not be conditioned by an action against the data importer.

Annexes

The EDPB and the EDPS consider that it is important that the contract which will be signed in practice, including its Annexes, will, delimit the roles and responsibilities of each of the parties in each relationship, and with regard to each transfer or set of transfers covered. The Annex to the contract should be precise enough so it is possible at any point in time to determine who takes which role as regards a specific transfer or set of transfers of personal data. The EDPB and the EDPS suggest to clarify that each transfer or set of transfers, should be separately described on the basis of its/their purpose(s), the types of personal data transferred, the category or categories of data subjects, the type(s) of processing, and the parties to the transfer, as well as the role of the respective parties.

A distinct Annex – which should include Parts I to VI – per transfer or set of transfers, will always be required. It should be signed only by those data exporters and data importers which carry out the respective transfer.

As regards Annexes describing technical and organizational measures:

 the EDPB and the EDPS suggest to expressly highlight in the Draft SCC that only those specific technical and organizational measures that will be applied to the respective transfer/set of transfers should be enumerated, while technical and organizational measures that will only apply to other transfers / categories of transfers covered by the same Multi Party Agreement should only be filled out in those Annex that relates to those respective transfers for their part.

As regards controller-processor relationships:

 The requirements set out in the Draft SCCs to enlist each and every sub-processor should be specifically recalled and reflected in Part V of the Annex. The EDPB and the EDPS would suggest to indicate the list of intended sub-processors in order to enable the controller to authorize the use of the intended sub-processors as required by Article 28(2) GDPR.