GDPR introduces Standard Data Protection Clauses ('SDPC') as one of several safeguards for transferring personal data to third countries or international organisations in Article 46 (1), (2) (c) GDPR. To function as such a safeguard, SDPC need to be adopted by the European Commission.
To date, there is a lack as SDPC have not been adapted to GDPR yet, so clauses currently in use still reflect directive requirements. Additionally, clauses specifically addressing the needs of processor-to-processor ('p2p') environments are missing. And lastly, the approach of current clauses by expecting at least one party to be exporting does not reflect (European) business needs and modern business models where personal data may be leaving and (re-)entering the EU through a processing chain. By drafting these SDPC, those issues were key to be reflected.
Due to the current lack of SDPC according to Art. 46 (1) GDPR reflecting processor-to-processor environement, the development of a draft set of clauses was initiated by a consortium of different European and international companies.
Before drafting, an extensive review of existing literature and academic works was conducted to evaluate the current status quo. Further, the benefits and disadvantages of the WP 29 draft [PDF] were examined. Also, on-going consultation with different stakeholders and partners from industry (including associations representing diverse memberships with different processing activities, business models and company structures, including many small and medium-sized enterprises) and from the legal sphere (such as law firms specialized on data protection and IT-law) ensured to meet existing market needs. In this context, this draft of SDPC intends to be as comprehensive and accurate as possible – e.g. by avoiding redundant regulations and reducing complexity – in order to enhance wide market adoptions while simultaneously safeguarding a high level of data protection for third country transfers.