Data protection alert: Updated standard contractual clauses

On the 27th of June, the updated standard contractual clauses for the transfer of personal data to third countries (“SCCs”) entered into force. The SCCs are the long awaited update to the old contractual standard clauses, which include important modifications and new principles.

High-level overview of the SCCs update

Firstly, the SCCs update and bring the old standard contractual clauses in line with the General Data Protection Regulation (“GDPR”). The SCCs include new obligations for data importers, which reflect the requirements of the GDPR, e.g. the obligation for the data importer to make available all information necessary to demonstrate compliance with the obligations sets out in the SCCs and to allow for and contribute to audits of its processing activities by the data exporter.

Secondly, in addition to aligning the principles with the GDPR, the SCCs align the principles with the reality of transfers between different actors by foreseeing clauses for the transfer between:

  • controller-to-controller
  • controller-to-processor
  • processor-to-processor
  • processor-to-controller

The latter two are new as opposed to the original SCCs. The SCCs are written in a modular way, with certain clauses applying to all transfers, regardless of the capacity of the parties, and certain clauses applying only in case of transfers between specific actors. This means that the SCCs can be tailored to the specificities of the transfer of personal data and to the complexity of processing chains. As with the old standard contractual clauses, the parties have only a limited possibility to modify the SCCs or to add additional information to the SCCs, i.e. when the SCCs allow for modification or addition of information.

Thirdly, the SCCs introduce the so-called ‘docking’ clause, which allows additional controllers and processors to accede to the SCCs concluded between a data exporter and data importer.

Finally, the SCCs also take into account the Court of Justice Schrems II decision, which invalided the EU-US Privacy Shield but affirmed the validity of the mechanism of standard contractual clauses, provided that the destination country provides sufficient safeguards for the protection of personal data. On the one hand, the parties have to warrant that they have no reason to believe that the laws and practices in the third country prevent the data importer from fulfilling its obligations under the SCCs. This explicitly includes any requirements to disclose personal or measures authorizing access by public authorities. On the other hand, the SCCs include the obligation for the data importer to notify the data exporter and the data subject if it receives a legally binding request from a public authority under the law of the destination country. A notification also has to be done in the event the data importer becomes aware of any direct access by public authorities to personal data.

Transfers to and from the UK

It is important to note that the SCCs do not apply for transfers from the UK to a third country. Consequently, these transfers will still be governed by the old standard contractual clauses until the UK provides for an update. Data transfers from the EU to the UK will continue to be governed by the so-called ‘bridging clause’ in the EU-UK Trade and Cooperation Agreement, which permits the flow of personal data from the EU to the UK. This bridging clause, however, expires on the 30th of June. On the 28th of June, the European Commission adopted two adequacy decisions relating to the GDPR and the Law Enforcement Directive, which ensure the ability to freely transfer personal data.

Timeline

The Commission Implementing Decision of 4 June 2021 foresees a transitional period. Until the 27th of September, controllers and processors will still have the option to use the old standard contractual clauses. By the 27th of December, however, all contracts using the old standard contractual clauses will need to be amended in order to replace the old standard contractual clauses with the new SCCs. In light of this requirement, businesses should start analyzing their existing data processing agreements and data flows to see where a transfer of personal data to a third country will continue beyond the end of the transition period and develop a plan in order to update the contracts by the end of the transition period.

In case we can assist you with this topic, please do not hesitate to reach out to us.