On 4 June 2021, the European Commission published the final version of the implementing decision on the below two sets of standard contractual clauses that may both be used by businesses as of 27 June 2021:
- Standard contractual clauses covering international (EEA cross-border) transfers of personal data (Transfer SCCs). Under the GDPR, transfers of personal data from the EEA to other countries is prohibited unless appropriate safeguards are put in place. The Transfer SCCs are one of the transfers tools provided by the GDPR and commonly used by businesses when involved in international data transfers.
- Standard contractual clauses that may be used between controllers and processors when the processor is carrying out processing activities on behalf of the controller and a data processing agreement under Art 28 GDPR must be put in place (Art 28 SCCs).
Transfer SCCs
The new Transfer SCCs are better suited for complex international processing scenarios than the existing ones, which are based on the data protection directive 95/46/EC. Contrary to the existing SCCs the new Transfer SCCs also apply to different processing scenarios often involving multiple data importers and exporters.
The Transfer SCCs also take into account the Schrems II ruling by the Court of Justice of the European Union and provides both data exporters and importers with certain tools to comply with the said ruling requirements (for more details on the Schrems II ruling please see our legal update on recent developments post CJEU Schrems II judgement). However, when preparing for international data transfers the relevant transfer parties should review the Transfer SCCs together with the European Data Protection Board’s very recently adopted (18 June 2021) recommendations on supplementary measures for data transfers. These recommendations derive from the Schrems II judgment and includes a six step plan helping businesses to assess the risks with EEA cross-border data transfers and to identify if supplementary measures must be put in place to protect the data to be transferred.
What is new under the Transfer SCCs?
- Transfer SCCs cover additional data transfer scenarios: While the existing SCCs cover data transfers (1) controller-controller and (2) controller-processor the new Transfer SCCs also cover transfers (3) processor – processor and (4) processor – controller. Also, the clauses can be used even if the data exporter is not established within the EEA but is nevertheless caught by the GDPR when, for example, offering goods or services to individuals within the EEA.
- Modular approach: The Transfer SCCs contain general provisions that apply to all kind of transfers taking place under the Transfer SCCs as well as modular provisions that must separately be chosen by the relevant parties for each specific transfer situation. Therefore, the taking into use of the new Transfer SCCs requires that businesses understand their role and select the right module for the transfer situation at hand. The Transfer SCCs may also be joined by several parties by the so called “docking clause”.
- Schrems II elements: The Transfer SCCs reflect the Schrems II ruling by requiring both the data exporter and importer to warrant that they have carried out an assessment based on which they have no reason to believe that the laws in the destination country would prevent the data importer from fulfilling its obligations under the Transfer SCCs (Data Transfer Risk Assessment). The Transfer SCCs include an example list of elements that may be taken into account when conducting the above assessment (such as the length of the processing chain, the number of actors involved and the transmission channels used, intended onward transfers, the type of recipients, the purpose of processing, the categories and format of the transferred personal data, the economic sector in which the transfer occurs, to name a few). The assessment must be documented and provided to the competent supervisory authority upon request.A further Schrems II element is the obligation of the data importer to notify the data exporter and the data subject if it receives a request from a public authority for disclosure of transferred personal data or if it becomes aware of any direct access by public authorities to transferred personal data. In these cases the data importer must also challenge the legality of the request and consider whether it has grounds to challenge such an order and if possible, challenge the request.
- Data processing agreement elements included: Where the Transfer SCCs are used in a controller-processor or processor-sub processor relation, the relevant parties do not need to draw up a separate data processing agreement. The Transfer SCCs already include the necessary stipulations of a data processing agreement as set forth under GDPR Art 28.
- 18-month transition period: While the new Transfer SCCs are available for use as of 27 June 2021, exporters and importers can continue to sign the existing SCCs until 27 September 2021. After this date no new contracts can be signed using the existing standard contractual clauses.
Businesses relying on the existing Transfer SCCs will have 18 months to replace them with the new ones. This means that by 27 December 2022 agreements with customers, suppliers and other parties with whom personal data is shared must have been updated and re-negotiated to include the new Transfer SCCs.
While the new Transfer SCCs certainly better reflect the increased complexity of businesses’ data processing activities, their use and application will also require more work from both data importers and exporters. Below are some recommended action items to be considered by businesses:
- Since data exporters and controllers cannot after 27 September 2021 sign new contracts using the existing SCCs, businesses will already now start to make themselves acquainted with the new Transfer SCCs and assess which data transfer scenarios and related modular provisions apply to their data transfers. Businesses must be ready to take the new Transfer SCCS in as an element in discussions and negotiations with their customers, suppliers and other business related parties end September 2021.
- Businesses should also map and review their current data transfers and especially identify such transfers that are made using the existing SCCs and the role it has in such a transfer. Contracts under which data transfers are made relying on the existing SCCs must be amended to include the new Transfer SCCs no later than 27 December 2022.
- Businesses should consider preparing a Data Transfer Risk Assessment template together with a plan on how to in practice carry out the assessment for each non -EEA country to which personal data is or may be transferred.
- Business may also consider implementing a process by which adoption of relevant data protection laws in third countries relevant for the business in question is followed-up.
Art 28 SCCs
The Art 28 SCCs serve as a model data processing agreement between controllers and processors where a processor carries out processing activities on behalf of a controller and a data processing agreement under GDPR art 28 must be put in place. Additionally, also a number of supervisory authorities across the EU have published their own model data processing agreements that also, naturally, may be used by controllers and (sub) processors.
The Art 28 SCCs are optional meaning that there is no obligation for a data controller or processor to use them. Hence, the Art 28 SCCs will not require additional work for businesses already having their own standard GDPR Art 28 compliant data processing agreements in place but businesses may continue to use their existing data processing agreements.
Parties wishing to use the Art 28 SCCs may attach them as an annex to their principal agreement. The clauses further come with four annexes to be filled in by the parties: (i) list of the parties, (ii) description of the processing, (iii) technical ad organizational measures and (iv) list of sub-processors.
The Art 28 SCCs do not cover international data transfers requirements. If personal data is transferred outside of the EEA in a controller-processor or processor-sub processor scenario, the Transfer SCCs (discussed above) include the necessary elements of a GDPR Art 28 processing agreement and, therefore, no additional data processing agreement must in these cases be put in place.