On 4 June 2021, the European Commission adopted two sets of Standard Contractual Clauses:
- Standard contractual clauses for controllers and processors in the EU/EEA;
- Standard contractual clauses for international transfers.
Main innovations of the new standard contractual clauses indicated in the press release of the European Commission are the following:
- Update in line with the General Data Protection Regulation (GDPR);
- One single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- More flexibility for complex processing chains, through a “modular approach” and by offering the possibility for more than two parties to join and use the clauses;
- Practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible “supplementary measures”, such as encryption, that companies may take if necessary.
According to Article 28 of GDPR the processing by a processor is to be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the elements listed in Article 28(3) and (4) of GDPR. That contract or act shall be in writing, including in electronic form.
The aims of approving the approved standard contractual clauses are the following:
- to have a coherent approach to personal data protection throughout the European Union and the free movement of personal data in the Union,
- to ensure compliance with the requirements of GDPR and (EU) 2018/1725, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources,
- to implement technical and organizational measures which meet the requirements of GDPR.
Please note that:
- the approved standard contractual clauses should apply in respect of the relationship between data controllers and data processors;
- the approved standard contractual clauses cannot be used as standard contractual clauses for the purpose of transfers of personal data to third countries or international organisations;
- controller and processor should be free to include the standard contractual clauses in a broader contract and to add other clauses or additional safeguards provided that they do not directly or indirectly contradict the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects.
Pursuant to Article 46(1) of GDPR, in the absence of an adequacy decision by the European Commission, a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses adopted by the Commission pursuant to Article 46(2)(c).
The new Standard contractual clauses include processor-to-processor and processor-to-controller data transfer clauses
The new Standard contractual clauses are formulated on a modular basis, which includes the following four modules:
- Controller-to-controller transfers (Module 1)
- Controller-to-processor transfers (Module 2)
- Processor-to-processor transfers (Module 3)
- Processor-to-controller transfers (Module 4).
The news is that hitherto unregulated models’ processor-to-processor and processor-to-controller are included.
The new Standard contractual clauses could become a multilateral agreement
The new Standard contractual clauses allow for multiple data exporting parties to contract, and for new parties to be added to them over time (the so-called “docking clause”), beyond the initial parties.
This is very welcome, especially for intra-group transfers.
Influence of the Schrems II judgment
The new Standard contractual clauses have been supplemented with sections: “Local laws and practices affecting compliance with the Clauses” and “Obligations of the data importer in case of access by public authorities”, which follow directly from the Schrems II judgment.
The standard contractual clauses should provide for specific safeguards, to address any effects of the laws of the third country of destination on the data importer’s compliance with the clauses, in particular how to deal with binding requests from public authorities in that country for disclosure of the transferred personal data. The transfer and processing of personal data under standard contractual clauses should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses.
The data importer should notify the data exporter if, after agreeing to the standard contractual clauses, it has reason to believe that it is not able to comply with the standard contractual clauses. If the data exporter receives such notification or otherwise becomes aware that the data importer is no longer able to comply with the standard contractual clauses, it should identify appropriate measures to address the situation, if necessary in consultation with the competent supervisory authority. Such measures may include supplementary measures adopted by the data exporter and/or data importer, such as technical or organisational measures to ensure security and confidentiality. The data exporter should be required to suspend the transfer if it considers that no appropriate safeguards can be ensured, or if so instructed by the competent supervisory authority.
The new Standard contractual clauses lay down clear rules for technical and organizational security measures
The new Standard contractual clauses deal with the technical and organizational security measures implemented to protect the transferred data. The parties shall specify measures in specific and not generic detail. Simply stating the data importer has to implement appropriate technical and organizational security measures that will not cut muster.
The new Standard contractual clauses may be adjusted and supplemented, provided that such additions and corrections do not reduce the protection of data subjects’ personal data
The controller or processor transferring the personal data to a third country (the “data exporter”) and the controller or processor receiving the personal data (the “data importer”) are free to include those standard contractual clauses in a wider contract and to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects;
The transition period is 18 months
According to the press release of the European Commission, a transition period of 18 months is provided for controllers and processors that are currently using previous sets of standard contractual clauses.
The final text of Standard contractual clauses
Only the final working documents are available. The only official text will be the one that will be published in the Official Journal in the coming days.
Prepared by an attorney at law Loreta Andziulytė and a Head of Employment practice Brigida Bacienė