The European Commission recently published draft Article 28 Standard Contractual Clauses for use between controllers and processors located within the European Union.  The draft Article 28 Clauses are distinct from, and  should not be confused with, the European Commission’s new draft Standard Contractual Clauses (SCCs) for data transfers out of the EEA.  The latter SCCs contain their own set of Article 28 clauses.


Article 28 GDPR provides that, where a processor carries out processing of personal data on behalf of a controller, the parties must enter into a written agreement which shall impose specified obligations on a processor.

Article 28(7) and (8) GDPR provide the European Commission, or a supervisory authority, with the power to adopt standard contractual clauses to address the requirements in Article 28 GDPR.  The draft Article 28 Clauses are the first standard clauses adopted by the European Commission.

The Clauses

The draft Article 28 Clauses set out the data protection obligations that a controller must impose on the processor pursuant to Article 28 GDPR.  In addition, the Article 28 Clauses contain a number of annexes that must be completed by the parties, including, for example, a detailed description of the data processing activity and special restrictions concerning the processing of sensitive personal data.

It will not be compulsory to use the European Commission’s Article 28 Clauses.  Businesses may continue to use bespoke data processing agreements between controllers and processors to satisfy the requirements of Article 28 GDPR. However, the draft Article 28 Clauses provide a useful European Commission-approved benchmark against which businesses can consider their controller-processor agreements.

The Article 28 Clauses are open to public consultation until 10 December 2020. A finalised set of Article 28 Clauses will likely be published by the European Commission in early 2021.