On 04 June 2021 the European Commission issued two sets of standard contractual clauses (SCC) under the General Data Protection Regulation (GDPR): 1. SCC for the transfer of personal data to third countries (below “New Transfer SCC”); and 2. SCC between controllers and processors within EU (below “Controller-Processor SCC”).
On 04 June 2021 the European Commission issued two sets of standard contractual clauses (SCC) under the General Data Protection Regulation (GDPR):
1. SCC for the transfer of personal data to third countries (below “New Transfer SCC”); and
2. SCC between controllers and processors within EU (below “Controller-Processor SCC”).
What is the application of the SCC for transfer of personal data?
SCC for transfer of personal data are one of the safeguard mechanisms established under GDPR for ensuring high level of protection where personal data is transferred from an entity – subject to EU law (“data exporter”) to an entity that is not subject to EU law (“data importer”).
What about the currently existing SCC for transfer?
Till the adoption of the new SCC two sets of SCC for transfers of personal data existed – one applicable to transfers between controllers and one applicable to transfers between a controller who is subject to EU law and a processor who is not subject to EU law. These two sets cannot be used for contracts concluded after 27 September 2021. For such contracts, controllers and processors need to use the New Transfer SCC. SCC concluded before 27 September 2021 can be used until 22 December 2022, provided that “the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards”.
What does the above mean for the business?
After 27 September 2021, controllers and processors need to use only the new SCC for data transfers in their relations with new partners, clients, vendors, etc. For their old contractors, they could temporarily continue to rely on SCC that were signed before 27 September 2021, but an assessment will be needed on whether the old SCC continue to provide appropriate safeguards and that there are no changes in the processing operations and subject matter. Nonetheless, new SCC should be implemented for old contractors too before 22 December 2022. This means that every entity within the EU which transfers personal data to third countries and uses SCC, needs to proceed with the update of its contractual relations with its contractors located in third countries in order to have in place updated SCC with all of them before 22 December 2022.
What is new in the New Transfer SCC?
While the old SCC concerned only transfers from controller to controller and controller to processor, the New Transfer SCC also apply in relations processor to processor and processor to controller. The Commission establishes a 4-modular approach to the transfer of data covering:
These modules provide significantly higher flexibility to arrange complex data flowchains where different parties participate in different capacities.
1) a list of the parties and description of the transfer - in addition to the information provided within the old SCC, the New Transfer SCC require information on the nature of the processing, frequency of the transfer, and to explicitly provide details on the processing carried out by the sub-processors, namely subject matter, nature, and duration. This information should be specific and should provide clear description of the transfer.
2) technical and organisational measures – The measures need to be described in specific (and not generic) terms, to clearly indicate which measures apply to each transfer/set of transfers, incl. the specific technical and organisational measures to be taken by the (sub-) processor to be able to assist to the controller or to the data exporter;
3) list of sub-processors - when a controller authorises the use of one or more sub-processors, the following information concerning the latter should be provided: name; address; contact person’s name, position, and contact details; description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised).
- it has reason to believe that it is or has become subject to laws or practices not in line with the requirements of the SCC;
- it receives a legally binding request from a public authority under the laws of the country of destination for the disclosure of personal data transferred pursuant to the SCC;
- becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCC in accordance with the laws of the country of destination.
As a concluding remark, the parties may add other clauses or additional safeguards, provided that: first, they do not contradict directly or indirectly the rules in the SCC and second, they do not prejudice the fundamental rights or freedoms of data subjects.
The SCC for controller-processor relations within EU are essentially a template for what has become known as a “Data Processing Agreement” or DPA, or otherwise said, a contract between controller(s) and processor(s) under Art. 28 of GDPR. These SCC should not be mistaken with the SCC for data transfers commented above as they have different scope of application. The Controller-Processor SCC are the first template of this kind provided by the European Commission, although the possibility for adoption of such SCC has existed since the entry into force of GDPR. Until now, every organisation drafted its DPAs based on the requirements of GDPR and in accordance with its own views on the structure and additional content of such document.
Now, organizations can choose between filling the Controller-Processor SCC and applying their own DPAs. What is of most importance to note regarding these SCC is that their use is not mandatory for the controllers and processors and there is no need for them to update their existing DPAs. This template is provided solely for facilitating the controllers and processors in the arrangement of the data processing activities in compliance with Art. 28 GDPR.
At this stage it seems there is no significant practical difference for businesses between filling Controller-Processor SCC and applying their own DPAs as far as they comply with the mandatory requirements of Art. 28 GDPR. A custom DPA provides more flexibility, however, in case an organisation wants to arrange something in addition to the SCC. Тhe SCC allow to supplement clauses or safeguards, provided that they do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects. It cannot be said that an agreement under the SCC will be more concise, clear, or that it will require less efforts to create, because of the great amount of information about the data processing that should be filled in the annexes to the SCC in each separate case of controller-processor relations.
The Controller-Processor SCC mostly adhere to the obligations already established in the GDPR. However, they add a few new obligations that could be derived from the GDPR but are not explicitly provided for in it. In the SCC it is expressly arranged that:
- controllers and processors shall make results of any conducted audits available to the competent supervisory authority/ies;
- the processor shall provide a copy of sub-processor agreement(s) and any subsequent amendments to the controller at its request (to the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy);
- the processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations;
- the processor shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Similar to the transfer SCC, the Controller-Processor SCC contain explicit annexes in regard to technical and organisational measures and a list of sub-processors. They require the technical and organisational measures to be described concretely and not in a generic manner, as well as to describe the specific technical and organisational measures to be taken by processors and sub-processors in order to be able to provide assistance to the controller.
Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en
Decision 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors can be found in the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0915&locale-en