On 4 June 2021, the European Commission ("Commission") issued new standard contractual clauses ("SCCs")1 pursuant to the GDPR2 for the transfer of personal data to third countries. After a transitional period of 15 months, ie at the latest by the end of 2022, all currently concluded SCCs must be superseded by the new SCCs.
According to Art. 44 GDPR every transfer of personal data to a third country (i.e. a country outside the EU) must meet the standards as set forth in Chapter V of the GDPR. The transfer including any onward data transfer is only allowed if "adequate" safeguards for personal data are in place in the data recipient's country. In practice, this adequate level of data protection is often met with SCCs. Standard Contractual Clauses are a standardized contract with provisions that govern the proper handling of personal data of natural persons. The current versions of the SCCs were issued by the European Commission in the years 20013 and 20104 ("the old SCCs").
As a consequence of the CJEUs "Schrems II" ruling5 the "old" SCCs needed to be amended. In brief, the CJEU declared the SCCs to be valid in principle but require additional effective safeguards to ensure that the required level of protection is met in practice. The CJEU extended the review obligations for companies (and data protection authorities likewise). In particular, the CJEU demands that companies check the required level of data protection before transferring data (based on all circumstances of the individual case).
At the beginning of June, the European Commission issued a revised version of the SCC ("the new SCCs") which became effective as of June 27, 2021.
New obligations, more legal certainty
To reflect technological developments and the increase in cross-border data flows, the new SCCs not only include more obligations for the "data exporter" (i.e. the EU-entity transferring data to a third country) but also for its counterpart, the "data importer".
The new SCCs contain a modular approach that aims to depict all possible processing scenarios in only one document:
- Module 1: Controller to controller;
- Module 2: Controller to processor;
- Module 3: Processor to processor;
- Module 4: Processor to controller.
These modules enable data exporters and importers to select the clauses that are relevant to the type of data transfer they engage in (processor-to-processor and processor-to-controller transfers, in addition to controller-to-controller and controller-to-processors transfers included in the previous SCCs). The modules are supplemented by optional clauses that can be concluded by the parties if agreed upon.
A significant improvement is the possibility for processors acting as data exporters to conclude SCCs with other (sub-)processors themselves. This way, confusing multi-level agreements with (sub-)processors on behalf of controllers are rendered useless.
Immanent to the nature of the SCCs, also the new version focuses on strong data protection rights, e.g. with the "third-party-beneficiary" clause. According to this clause, data subjects are entitled to invoke and enforce most of the SCCs provisions including those on data security and on information obligations. When breached, the third party-beneficiary rights can be enforced against processor and/or controller (i.e. "all responsible parties") and the data subject is entitled to claim material and non-material damages.
Under the new SCCs, the data importer is obliged to immediately notify the data exporter if the security or confidentiality of the transferred data is to be compromised because of laws or practices of the third country to which the importer is or will be subject to. In addition, the data importer must review the legitimacy of a request for disclosure of personal data from a public authority and challenge it if it concludes that there are "reasonable grounds" to consider the request unlawful. If the data importer is prohibited from notifying the data exporter and/or the data subject, it must make every effort to have this prohibition lifted in order to communicate as much information as possible as quickly as possible.
Under the new SCCs the data exporter is obliged to assess the importers' country legal framework and the ability of the importer to fulfill its obligations pursuant to the GDPR when it comes to the safety of personal data. To give clear advice on this point, the SCCs now contain specific requirements that must be included in this assessment (e.g. specific circumstances and purpose of the transfer, type of recipient, categories and format of the personal data, laws and practices for disclosure, safeguards, etc).
The SCCs now introduce an optional but quite practical "docking clause": with this clause, an entity that is not a party to the SCCs may accede to them at any time, given that it has the same or adequate safeguards for the protection of personal data in place. This clause eliminates the need to conclude different contracts, making an overview of the processing operations and the parties concerned much easier.
Recommended immediate action
- Review/map your international data transfers
ATTENTION: such transfers might be triggered by simply using cookies on a website;
- Get in touch with your contracting party (parties) of the transfer and outline a step plan to conclude the new SCCs
REMEMBER: until December 27, 2022;
- Follow the instructions in the new SCCs for transfer risk assessment;
- Document each step to be able to prove them to the Data Protection Authority, if necessary.
- Stay tuned – we will follow up on this in more details.
1 Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3 Decision 2001/497/EC amended by Implementing Decision (EU) 2016/2297 and complemented by Decision 2004/915/EC.
4 Decision 2010/87/EU amended by Implementing Decision (EU) 2016/2297.
5 Judgement of 16 July 2020, Schrems II, C-311/18, EU:C:2020:559.