On 4 June 2020, the European Commission (“EC”) adopted the long-awaited new Standard Contractual Clauses (“SCCs”) for transfers out of the European Economic Area (“EEA”). They are perceived as the most commonly used safeguards for personal data transfers outside of the EEA and their new shape can even strengthen this trend.
- What are the new SCCs and what is their purpose?
They are safeguards aimed at securing the transfers of personal data outside of the EEA.
In the absence of an adequacy decision issued by the EC, a controller or processor may transfer personal data to a third country only:
- if the third country has provided appropriate safeguards, and
- if enforceable rights and effective legal remedies for data subjects are available.
Such safeguards may be provided for, i.a. by standard data protection clauses adopted by the EC.
As far as adequacy decisions are concerned, the EC has so far recognized Andorra, Argentina, Canada (commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, the United Kingdom, and Uruguay as providing adequate protection. On 16 June 2021, the EC launched the procedure to adopt an adequacy decision for the transfers of personal data to South Korea.
- When did the new SCCs come into effect and when do they start to apply?
They came into effect on 27 June 2021.
In general, they will apply from 27 September 2021.
If contracts concluded before 27 September 2021 based on the “old decision” provide the appropriate safeguards within the meaning of the GDPR, these contracts are deemed applicable until 27 December 2022 if the underlying processing operations remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
- Technically, how can one use the new SCCs?
They can be concluded separately, incorporated into a contract, and even extended if the extension does not contradict their provisions.
Parties are free to include SCCs in a wider contract and even to add other clauses or additional safeguards if those clauses or safeguards do not contradict, directly or indirectly, the standard contractual clauses or prejudice a data subject’s fundamental rights or freedoms.
- What has been updated in the new SCCs?
The new SCCs introduce some minor and material changes which help to professionalize their use.
Four transfer scenarios. Now SCCs have a modular character to cover various transfer scenarios, i.e.:
- Controller-to-Controller (Module One),
- Controller-to-Processor (Module Two),
- Processor-to-Processor (Module Three), and
- Processor-to-Controller (Module Four).
As a result, SCCs envisage different provisions and options within those provisions to be chosen in respect of a given scenario. In consequence, this means that they cannot be concluded thoughtlessly but need to be read and tailored thoroughly. This is supposed to stop interested parties from reaching automatic conclusions. It is worthy of note that two additional modules allow the creation of an enumerative circle of potential transfers which has definitely clarified international transfers and filled existing gaps.
- Flexible accession. It is possible for more than two parties to adhere to the SCCs (even over time) thanks to an optional docking clause. In other words, additional controllers and processors should be allowed to accede to the standard contractual clauses as data exporters or importers throughout the lifecycle of the contract of which they form a part. Although in practice, even under the old SCCs, interested parties did so anyway; however, the optional docking clause is now officially included.
- More international character. New SCCs are applicable to companies outside of the EU. They expressly recognize that data exporters can be established outside of the EU (envisaged by Module Four).
- DPA included. For scenarios within Modules Two and Three, there is no need for separate data processing agreements because they already contain all the requirements under Article 28 of the GDPR. This minor change is very useful mainly because this will save resources and time and help to avoid repetition.
- Copy of SCCs for data subjects. Data subjects must be provided with a copy of the SCCs upon their request. Although Article 13 (1) letter f of the GDPR states it anyway, the fact that the new SCCs refer to this right strengthens its meaning. From the parties’ perspective, there is a possibility to redact text to protect confidential information. Nevertheless, the reasons for the redactions are presented to data subjects in an understandable way.
- Verification of sub-processors. When it comes to sub-processing in a model of a specific prior authorisation, the data importer must provide the data exporter with the information necessary to enable the data exporter to decide on the authorisation.
- Third-party beneficiary rights. The new SCCs maintain third-party beneficiary rights. This means that although data subjects are not parties to SCCs, they benefit from the fact that their provisions affect them. The new SCCs state that the data importer must inform data subjects of a contact point and deal promptly with any complaints or requests. Further, data subjects, if there is a dispute, should be able to lodge a complaint with the competent supervisory authority or refer the dispute to the competent EU courts.
- More dedication from the parties. Parties are supposed to adjust transfers to take into account the dynamic changes that occur when it comes to local laws and practices affecting compliance with the SCCs. Prior to entering into SCCs, data importers are supposed to assess if they will ensure compliance with the SCCs especially as regards their legal environment. Interestingly, data importers may agree on challenging official disclosure requests to the extent permissible under the laws of the country of destination.
- Measures in use to be specified. The technical and organisational measures are to be described in specific terms. This means that the times of generic and thoughtless descriptions of measures are over. Parties should take care to provide a precise description of measures that secure personal data transfers.
To sum up, the new SCCs have become a more friendly, thoughtful, and useful safeguard but, at the same time, they require more dedication and engagement from parties that are interested in their use. In our view, this is a good moment to:
Firstly – check if each personal data transfer within a company is covered by SCCs or other appropriate safeguards.
Secondly – assess if the old SCCs in place in given transfer relationships are still legitimate and valid taking into account the new SCCs’ requirements and timeframes from point 2.
Thirdly – create a plan of successively implementing the new SCCs in place of the old SCCs to be in full compliance on 27 December 2022.