Supplemental protection to Standard Contracting clauses is additional forms of appropriate safeguards. They are important for being compliant with the GDPR in view of a recent judgment from the European Court of Justice (Schrems II). Reading time: 3 minutes
What is supplemental protection to Standard Contracting clauses?
The Standard Contracting clauses, the SCCs, are contracts for data transfers from the EU/EEA with obligations on the parties to ensure secure data transfers. There are several forms of appropriate safeguards. You must use them when regularly transferring personal data to a non-approved country outside of the EEA. The EU Commission can approve non-EU countries’ legislation to provide adequate security for personal data in the form of its so-called adequacy decisions.
Supplemental protection is any other form of appropriate safeguard that you can use. These forms have become especially relevant following the so-called Schrems II-judgement. In the judgement, on the 16 of July 2020, the ECJ ruled on EU-US data transfers and invalidated the EU-U.S Privacy Shield Framework. The Court stated that all companies must verify that the recipient country’s data protection legislation ensures adequate protection for the exported personal data. This must be done in each country where the data would be transferred to. Consequently, the judgement means that there is a significant need for supplemental protection.
Which forms of supplemental protection are there?
There are several forms of supplemental protection. Not all are usable for most companies. The most relevant ones are (1) binding corporate rules, (2) codes of conduct, (3) certification mechanisms and (4) contractual clauses.
Binding corporate rules
Binding corporate rules, or BCRs, are internal codes of conduct within multinational groups. The rules apply to the transfer of personal data from an EU/EEA country to a non- EU/non-EEA country. They must also be legally binding to all members of the group. The supervisory authority must approve the BCR, which is a complex and time-consuming process. The EDPB has provided more detailed guidelines.
Need templates, second opinion or support for your DPAs?
Connect with leading experts with a multitude of templates. Reviewing a customer DPA – ask for a second opinion from our experts. Track record with leading European startup, mid-size companies and listed global enterprises.
Get a quote today from the business law firm Sharp Cookie Advisors
The BCR’s validity for EU-US transfers are also affected by the Court’s finding that US law does not protect personal data to a necessary extent (in certain circumstances). Watch this space as the European Data Protection Authorities are providing updated guidelines continuously.
Code of conduct
A code of conduct is another form of protection. The code must fulfil the requirements of Article 40 GDPR and the supervisory authority must approve the code. It must also contain binding and enforceable commitments for the receiver (i.e. the one who is outside of the EEA). The code of conduct should address the specific needs of you as a controller. It should generally cover topics such as pseudonymisation and transparency.
Approved certification mechanisms are another way of complying with the GDPR. The relevant supervisory authority approves a certification body. Thereafter the certification body, in turn, assesses an approves of an organisation. The certification must contain certain criteria. Examples are criteria about the lawfulness of processing and data subjects’ rights.
Contractual clauses must concern a specific transfer of personal data. The supervisory authority of the sending country must approve the contractual clauses. This alternative is not particularly useful for general transfers of personal data. However, some supervisory authorities are not authorising any clauses at the moment. They are instead waiting until the EDPB provides guidelines.
Some supplemental protection isn’t usable for business
There are some additional alternatives for supplemental protection. Unfortunately, they are not all that useful for businesses. As a result, they will only be mentioned briefly. Instruments between public authorities only apply to public authorities. The EU Commission could also approve of standard data protection clauses adopted by supervisory authorities. Unfortunately, this has not happened yet. Administrative arrangements also only apply to public authorities.
In summary, there are four main ways for a business to supplement Standard Contracting clauses. Of these four, binding corporate rules, codes of conduct and certification mechanisms are the most relevant. Contractual clauses are mostly intended for specific transfers.