European Commission publishes final version of updated Standard Contractual Clauses
On June 4, 2021, the European Commission adopted the final version of the implementation decision on standard contractual clauses for the transfer of personal data to third countries according to the EU General Data Protection Regulation (“GDPR”) as well as the final version of the new standard contractual clauses (the “SCCs”). The European Commission had previously published drafts of the implementing decision and the SCCs in November 2020.
The central theses
The most important insights into the new SCCs include:
- The SCCs keep the modular approach of the design. In particular, they contain general provisions that apply to all data transfers that take place within the framework of the SCCs, and several modular provisions that must be selected according to the status of the parties under the GDPR. In particular, the SCCs can be used for (1) controller-to-controller transfers; (2) controller to processor transfers; (3) processor-to-processor transfers; and (4) transfers from processors to controllers, reflecting the complexity of modern data processing chains more accurately. The final version allows the contracting parties to include only the language contained in the respective modules that applies to the contracting parties.
- The general clauses address: (1) the obligation of the parties to ensure that the data protection laws of the receiving country (including any requirements for disclosure of personal data or measures authorizing access by public authorities) do not prevent the data importer from fulfilling its obligations under the SCCs; (2) Obligations of the data importer with regard to official access requests (e.g.to inform the exporter of such inquiries, to verify the legality of a request and to ensure that only the minimum amount of information permitted by law is provided in response to a request); (3) redress procedures available to data subjects; (4) Liability between the parties in the event of a breach of the SCCs; (5) Supervision of transfers by supervisory authorities; (6) Obligations of the parties in the event that the data importer is unable to comply with the SCCs; (7) termination of the SCCs; (8) Possibility for the parties to choose the law of one of the EU Member States for the SCC, which must allow third party rights; and (9) choice of venue and jurisdiction to resolve disputes arising from the SCCs.
- Controllers and processors should select the modular clauses applicable to their situation and align their obligations under the SCCs with their respective roles and responsibilities in relation to the data processing in question. Depending on the designation of the parties as data controllers or processors, the modular clauses for the transfer relate to: (1) Data protection guarantees that are provided by the parties due to their role in accordance with the GDPR (e.g., Instructions for the transmission, transparency, earmarking, correctness and data minimization, storage limitation, deletion and return of data, security, transmission of sensitive data and data in connection with criminal convictions or offenses, onward transmission and accountability of the parties); (2) the appointment of sub-processors in the context of transfers from controllers to processors and processors to processors; (3) Rights of data subjects and obligations of the parties in the event of a request on data subject rights; and (4) the parties’ liability under the SCCs.
- The SCCs consist of three appendices attached to the appendix.
- Appendix I of the SCCs must be completed by the parties and contains (1) a list of the parties to the SCCs; (2) a description of the transmissions (including the categories of data subjects whose personal data are transmitted, categories of the transmitted personal data, purpose (s) of the transmission and further processing, possibly maximum data storage periods and for transmissions to (sub) processors, Subject, type and duration of processing); and (3) the identity of the competent regulatory authority for each party to the SCCs. To the extent necessary to adequately describe the data transfers taking place, the parties should complete a separate version of Annex I for each category of data transfer.
- Annex II of the SCCs should be supplemented by the data importer (s) with a description of the technical and organizational measures that have been implemented to ensure an adequate level of security for the transmitted data.
- Annex III to the SCCs should, where appropriate, list the sub-processors used by the processor.
- Upon request, the data subjects are to be given a copy of the SCCs free of charge and to be informed of any change in the processing purpose or the identity of a third party to whom the personal data is being passed on. The parties may redact any part of the attachment prior to disclosure to the data subject in order to protect confidential information, but must provide the data subject with the reasons for such redaction upon request.
- With regard to onward transfers to additional recipients in third countries (even if the additional recipient is located in the same country as the importer), such transfers are prohibited unless the onward recipient agrees to the SCCs or another exception applies.
- Other exceptions to onward transfers include: (1) the recipient is located in a country believed to provide an adequate level of protection for personal data; (2) the recipient concludes a binding agreement with the importer which guarantees the same level of protection as the SCC; or (3) data subjects give informed and explicit consent to forwarding to the respective recipient (if none of the other exceptions apply).
The SCCs come into force 12 days after their publication in the Official Journal of the European Union.
The existing SCCs will be withdrawn three months after the new SCCs are published in the Official Journal and organizations will no longer be able to rely on the existing SCCs for new data transfers after that date.
Contracts that already contain the existing SCCs (provided the existing SCCs remain unchanged) continue to be a valid data transfer mechanism for up to 18 months after the new SCCs have been published in the Official Journal.
Use in the UK
The SCCs cannot be used automatically in connection with data transfers from the UK. However, it is expected that the UK Information Commissioner’s Office will in due course adopt similar clauses for transfers of data out of the UK.