Contact us directly via email, phone or facsimile. If you have a specific legal issue to discuss, please give us a call and our attorneys will be available to assist you.
On 4 June 2021, the EU Commission adopted the final Implementing Decision (EU) 2021/914 setting out new standard contractual clauses for transfers of personal data to countries outside the EU/EEA1 (i.e. “third countries”).
These new standard contractual clauses (the “SCCs”) have been eagerly awaited by practitioners in the sector to replace the previous ones i.e. the “old SCCs” that were adopted in 2001, 2004 and 2010 respectively, which were based on the now repealed Directive 95/46/EC.
Here are some clarifications on what you need to know about the new SCCs and what you should do.
In principle, the transfer of personal data to third countries that have not been recognised by the European Commission as providing an adequate level of protection of personal data is prohibited.
However, data exporters may proceed to such a transfer if they implement appropriate safeguards.
Among the recognised – and, in practice, the most used – appropriate safeguards, the data exporter may enter into an agreement containing the old SCCs adopted by the EU Commission with the data importer located in a third country.
However, since the so-called “Schrems II” ruling by the European Court of Justice, the old SCCs are under scrutiny. Indeed, the Court ruled that the old SCCs were valid but added a significant condition:
Failing that, data exporters shall not transfer personal data or at least suspend their transfer.
NEW SCCs: GLOBAL CHANGES IN PERSPECTIVE
The SCCs bring about a number of changes with practical implications, which we have summarised as follows:
The SCCs have now been drafted to cover different processing situations, offering four different modules. This is a different approach from the old SCCs that provided two different sets of clauses only governing processing situations where data controllers were transferring personal data (transfers from a controller to another controller and transfer from a controller to a processor respectively).
The SCCs now encompass a larger number of processing situations, making them more flexible to use, including:
The SCCs considerably ease a number of practical formalities, such as:
(i) the inclusion of an optional docking clause which allows new parties to be added to the SCCs during processing, making it easier to adapt to changes without having to re-sign documents;
(ii) the removal of the need to conclude an additional data processing agreement to govern the relationship between a processor and a controller, as all requirements foreseen under article 28 GDPR are now already reflected in the SCCs; and
(iii) the fact that the SCCs do not only relate to relationships between the contracting data exporter and data importer. Data subjects are also able to directly invoke most of the clauses in the SCCs against the data exporter and data importer.
Without being exhaustive, the SCCs’ content can be summarised as follow:
In a P2P3 relationship, a specific obligation lies on the exporting processor to inform the importing processor of the controller’s instructions as well as to inform the controller if the importing processor is not able to follow the controller’s instructions. It therefore acts as a sort of intermediary between the controller and the importer.
In a P2C4 relationship, the processor is also tied to the documented instructions of the importing controller. However, it must notify the controller if it is unable to follow its instructions and the controller must not give instructions contrary to the provisions of the GDPR.
In the SCCs, where the importer is a processor, it must only process personal data for the specific purposes included in an Appendix to be completed by the parties.
However, the importer has a bit more freedom where it acts as a controller. In C2C5 relationships, the obligation is limited to processing personal data in a manner that is not incompatible with the purposes specified in the Appendix and it may rely on certain exceptions (such as the consent of the data subject to processing for different purposes).
In a P2C relationship, there are no specific restrictions on the importing controller, who is free to choose its own purposes for the processing of personal data.
In that respect, all of the SCCs modules (with the exception of the one governing P2C relationships, which has no specific provisions in this respect) specify that the SCCs shall be made available to data subjects on request.
In a C2C relationship, the transparency obligation is much broader. The importer must inform data subject of its identity and contact details, the categories of personal data processed, of their right to obtain a copy of the SCCs and various additional information where an onward transfer is planned.
In a C2C relationship, both parties are required to correct inaccuracies and shall inform each other of such inaccuracies. Where the importer is a processor, it is required to notify the controller of any inaccuracies. In this case, the correction action must be carried out by the controller with, if necessary, the help of the processor.
In a P2C relationship, however, there are no specific provisions on accuracy of data.
In a P2C relationship, there are no specific provisions on this subject, the importing controller being then free to set the duration it sees fit for the processing of personal data.
In this respect, Annex II must be completed by the parties to the SCCs, which describes the security measures to be implemented by the data importer.
In a C2C relationship, the importing controller’s obligations are far more wide ranging and include the obligation to report a breach directly not only to the exporting controller, but also to the supervisory authority or the data subjects, as the case may be.
On the contrary, the obligations are less stringent in a P2C relationship, the security obligations being limited to data transmission, confidentiality obligations and assisting the importing data controller in ensuring security. It should be noted that where sensitive data are processed, the parties shall document specific restrictions or safeguards to secure the transfer of personal data.
Such transfers are possible under the condition that the other entity adheres to the SCCs (using the appropriate module) or the transfer is subject to the appropriate safeguards described under the GDPR. Other grounds for transfers may also be invoked (for example depending on the situation: explicit consent of the data subject or defending legal claims).
In a P2C relationship, onward transfers are not further regulated.
In a C2C relationship, the controlling importer must deal with data subject rights requests. However, several rights are excluded, such as the right to data portability and the right to object to processing based on legitimate interests.
In a P2C relationship, each party shall mutually assist each other in responding to data subjects’ requests. Where the importer is also a data processor, it must notify the controller of the data subject request and help them deal with it.
The new SCCs have been drafted to take full account of Schrems II requirements i.e. the parties warrant in the SCCs that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data prevent the data importer from fulfilling its obligations under the SCCs. In their assessments of the laws and practices in the third country, the parties are required to take into account several criteria6.
WHAT SHOULD I DO ?
TRANSFER OF PERSONAL DATA OUTSIDE THE EU AND UK CHECKLIST :
The Implementing Decision of the EU Commission is effective as of 27 June 2021 and the new SCCs may be used from this date.
The old SCCs may still be used until 27 September 2021 but will be valid only until 27 September 2022. Therefore, companies relying on the old SCCs for international transfers should now consider entering into the new SCCs.