European Commission has, in the aftermath of the Schrems II ruling, approved a new set of Standard Contractual Clauses (SCCs) with safeguards to permit international transfers. Organisations that have international supply chains and/or wishes to leverage offshore resources must adopt the new SCCs and perform Transfer Impact Assessments. This article will explain the new SCCs and guide you on how you can use them. Reading time: 10 minutes
Executive Summary of the new SCCs
The Background: Strict requirements required for international transfers
Using international suppliers or sharing personal data intra-group outside of the EU/EEA must meet certain requirements under the GDPR. If the recipient country does not have “an adequate level” of data protection compared to the GDPR, then the European Commission’s Standard Contractual Clauses (SCCs) are the most common mechanism to use. Using the SCCs has become more complex due to the Schrems II ruling that clarified the GDPR requirements for international transfers and imposed new obligations on data exporters and importers. The Schrems II decision invalidated the EU-US Privacy Shield and clarified data exporters obligations when using non-EU suppliers or intra-group transfers with a non-EU element. This, combined with the age of the previous SCCs, has created the need for an updated SCC mechanism.
The Development: New SCCs may address the challenges of the Schrems II ruling
On June 4, the European Commission introduced the new set of Standard Contractual Clauses (SCCs) to replace the old model agreements from 2010 (adopted under GDPR’s predecessor the European Union Directive 95/46/EC). The new SCCs have a modular approach and cover more situations than the old model clauses. Stronger protection for personal data is introduced, new obligations on the parties to assess the legality of the intended transfer and increased transparency towards customers and individuals.
Practical Implications: Using the new SCCs together with proper transfer impact analysis may allow for international transfers
Organisations that have international supply chains and/or wishes to leverage offshore resources must adopt the new SCCs and perform Transfer Impact Assessments for each transfer. The new SCCs incorporate elements of the Schrems II decision requiring the controllers to perform an assessment of the receiving countries legislation and if the importer can meet the GDPRs requirements. Organisations that have entered into the old SCCS before 27 September 2021 may still rely on them during the transition period ending 27 December 2022. After 1 September 2021, it is no longer possible to enter into the old SCCs, but the new SCCs must be used.
The relevant law of international transfers
When transferring data outside of the EU/EES, GDPR chapter V applies. In accordance with Article 44, a transfer must comply with these rules. This is to ensure that the level of protection guaranteed by the GDPR is not undermined.
Sharp Cookie Advisors
You may do a transfer on the basis of several different mechanisms. You can use an adequacy decision (Article 45) or use appropriate safeguards (Article 46). There is also the possibility of derogations for specific situations (Article 49). Appropriate safeguards include several mechanisms, such as binding corporate rules (Article 47), approved codes of conduct (Article 40) or Standard Contractual Clauses (Article 93).
For transfers to the U.S., for example, the Schrems II ruling has made the appropriate safeguards and SCCs, particularly important.
The SCCs is a set of standard contractual clauses concerning data protection that the European Commission has drafted. The SCCs previously in use were drafted in 2010. These new SCCs are to replace the old ones.
Main differences between the old and new SCCs
Among much other news, the new SCCs use a risk-based approach for international transfers. This means that importers of data can weigh in the actual risks of data being accessed by public authorities.
The first set of SCCs applies to international transfers. They are for so-called “data exporters” and “data importers”. Data exporters are the ones transferring the data, and data importers are the ones receiving data. They are divided into four sections.
- Section I. General introductory provisions and docking mechanisms. This includes the purpose of the SCCs, their invariability, third-party beneficiaries and their interpretation.
- Section II. The obligations of the parties. The section contains the needed data protection safeguards, regulates sub-processors, liability and supervision.
- Section III. Local laws and access by public authorities. In particular, local laws and practices effect on the SCCs are regulated, and the obligations of the parties in case of access by public authorities.
- Section IV. Non-compliance, termination and governing law. This explains what happens if the parties do not comply with the SCCs, and also clarifies the choice of forum and jurisdiction.
Although you can rely on the old SCCs for international transfers at the moment, there is still work to be done. You must evaluate your current supply chains and make sure that all subcontractors have contracts that are up to date. In the meantime, you should start assessing the impact of local laws on your processing activity. To help with this, you should map out your transfers. It should also be helpful to build certain obligations, such as transparency and subjects rights, into your process already.
The new SCCs have four different modules that are party-dependant.
- Module one: Controller – controller.
- Module two: Controller – processor.
- Module thre: Processor – processor.
- Module four: Processor – controller.
The purpose of the modular approach is to cater to the differences in various transfer scenarios. It also enables more than two parties to adhere to the SCCs.
The new SCCs enables transfers between processors to be covered by SCCs. This was not the case before. The same is true for transfers from a processor in the EU back to a controller outside of the EU. This is solved by modules three and four.
In addition, for some modules, a separate data processing agreement is not needed. This applies to controller – processor and processor – processor transfers (modules two and three). This differs from the previous SCCs, where they did not stand up to the requirements of GDPR Article 28.
Strengthened data subject rights
Clause 3 give data subjects the right to invoke some of the clauses of the SCCs against data exporters and/or data importers. Furthermore, Clause 10 specifies the obligations of parties relating to subjects rights. For module one, the data importer shall deal with requests from data subjects and provide relevant information. For modules two and three, the data importer shall instead notify the data exporter and assist in fulfilling their obligations. Lastly, for module four, both parties shall assist each other.
Moreover, data importers must provide data subjects with a contact point authorities can use to handle complaints. This is according to Clause 11. The parties must also keep each other informed and cooperate in resolving the issues. If a data subject brings legal proceedings against the parties, they may do so where they have their habitual residence.
Can be used for multi-party arrangements
It is possible to include the new SCCs in a wider contract according to Clause 2. This means that you can add the SCCs to your own contracts that regulate more than just data protection. In addition, you can add additional clauses and/or safeguards to the SCCs. They may not, however, contradict the SCCs. Neither may they contradict the fundamental rights of data subjects.
Furthermore, there is an optional docking clause in Clause 7 that you can use. This clause enables third parties to accede to the SCCs. This enables flexibility and usability.
Use by non-EU data exporters
The new SCCs address four types of transfers (controller – controller, controller – processor, processor – processor and processor – controller). These four types of transfers include cases where the exporter is not established in the EU/EEA. However, to be able to use the SCCs when the exporter is not in the EU/EEA, they must fall under the GPDR pursuant to GDPR Article 3(2).
When do the new SCCs come into effect?
The new SCCs enter into force on 27 June 2021 (in accordance with Article 4). This means that they are available to use from that date forward. However, you are still able to implement the old SCCs until 27 September 2021.
After 27 September 2021, you cannot implement the old SCCs. Nonetheless, you are able to continue relying on the old SCCs until 22 December 2022. This is as long as the processing operations remain unchanged and appropriate safeguards are in use. During this grace period, it is vital that companies ensure that their entire supply chain complies with the new SCCs.
To be able to use the new SCCs, there must be two parties who are performing international transfers according to Clause 1. You cannot use the SCCs when the GDPR applies according to Recital 7. This might seem straightforward but might lead to complications due to the wide reach of the GDPR.
Transfer Impact Assessment Remains Required Under the New SCCs
In the Schrems II decision, the ECJ pressed the importance of performing and documenting a transfer impact assessment. The assessment could include evaluating the risk of government access, adequate protections, and the local legal framework. Such an assessment must be made available to the competent supervisory authority on request. This obligation still applies under the new SCCs. The new SCCs provide some guidance for what the TIA must contain, see in particular section III.
Enforcement by the Competent Supervisory Authority
For modules one, two, and three, Clause 13 states which supervisory authority is responsible. This is the competent supervisory authority. If the data exporter is established in the EU, the supervisory authority chosen in Annex I.C is the competent authority. When the exporter is not established within the EU but falls within the territorial scope of the GDPR, there are two options. If they have appointed a representative, the supervisory authority of the EU Member State where they are located is competent. If they have not appointed a representative, the EU Member State of the data subject affected is competent.
The data importer must submit to any enquiries and audits from the competent authorities. This is according to Recital 13. In general, the law of an EU Member State applies according to Clause 17. For most, it is the law of the EU Member State where the data exporter is established. For module one, there is also the option to choose an EU Member State.
Data subjects may lodge a complaint to the competent supervisory authority. This is if they want to invoke their rights as third-party beneficiaries. The parties must submit to the authorities jurisdiction and cooperate with it.
What must you do under the new SCCs?
The new SCCs demand certain obligations from the parties. In some clauses, the exact obligations differ from module to module.
In general, you must ensure that there is an adequate level of protection. This is clearly stated in Recital 7. This includes taking into account the particular circumstances of their transfers. Some aspects of this are the laws and practices in the country of destination.
You must take special measures when needed to ensure the protection of the data according to Clause 15 and Recitals 16, 18 and 20. If the data importer fears that they do not live up to the standard, they must notify the data exporter.
Data protection safeguards must be taken
Clause 8 has several subclauses that are highly dependant on the module you use. All of the subclauses will be listed and briefly explained in the following.
- Instructions (modules two, three and four). You shall only process data on documented instructions.
- Purpose limitation (modules one, two and three). Data can only be held for the specific purposes listed.
- Duration of processing and erasure or return of data (modules two and three). Processing can only take place for the specified duration.
- Security of processing (all modules). You must use appropriate safeguards to protect the data.
- Sensitive data (modules one, two and three). Transferring sensitive data demands specific restrictions and/or additional safeguards.
- Documentation and compliance (all modules). You must be able to demonstrate compliance with the SCCs and document it. The documentation must be available to supervisory authorities and the other party.
- Transparency (modules one, two and three). You must disclose certain information to data subjects to ensure their rights.
- Accuracy (modules two and three). The data must be accurate and up to date.
- Storage limitation (module one). You cannot store personal data longer than necessary.
- Onward transfers (modules one, two and three). Onward transfers to third parties is only possible if the party enters into the agreement. Alternatively, the data exporter can explicitly instruct the party to do so. There is also a list of exceptions that may apply.
- Processing under the authority of the data importer (module one). Any person acting under a party’s authority may only process data on its instructions.
There are specific rules for handling disclosure requests from national authorities
When receiving disclosure requests, the data importer must notify the data exporter. The same applies in the case of other direct access of data by public authorities. They must provide additional information, such as the requesting authority and the basis of the request.
The data importer must also review the legality of the request. If it is reasonable to do so, they must challenge it and pursue possibilities of appeal. In addition to this, they must seek interim measures. Disclosing of personal cannot be done until required to do so. If disclosing data, only the minimum amount requires shall be disclosed.
Clause 12 regulates liability for the parties. When transferring to a controller, each party is liable to the data subject. This is the situation in modules one and four. If more than one party is responsible, they are jointly liable. When transferring to a processor, the data importer is liable. Notwithstanding this, the exporter is liable for any breaches of the SCCs.
Regardless, each party is liable to the other for any damages caused by a breach of the SCCs. The parties may agree that one party is liable and therefore entitled to claim back their part of the compensation.
Non-compliance and termination of the SCCs
If the data importer is in breach of the SCCs, you must suspend data transfers. This is according to Clause 16. If compliance is not restored within a reasonable time, the data exporter is entitled to terminate the contract. A reasonable time cannot be longer than one month. The same also applies if the breaches are substantial or persistent. It also applies if the data importer fails to comply with a decision regarding its obligations under the SCCs. Lastly, it is also possible to revoke the agreement if the European adopts an Adequacy decision.
If terminating the contract, the importer must return the data or delete it. Data can only be retained if required to do so under local laws.
Sub-processors and annexes to the SCCs
There are, for modules two and three, two options for allowing sub-processors. You can find both in Clause 9.
The first option is to use specific prior authorisation. This means that the data importer must ask for specific authorisation. This must be done a certain time period before the engagement. The authorised sub-processors must be listed in Annex III.
The second option is to have general consent. The importer must inform the exporter that they intend to use the sub-processor. If the exporter does not object within a specified time period, the importer may proceed.
Regardless of which option you use, the sub-processors must have a contract that ensures the same level of protection as the SCCs. Furthermore, the responsibility still lies with the data importer.
The annexes to the SCCs contain a few different provisions. Annexe I.A contains a clear list of parties, with contact details and similar information. Annex I.B contains a description of the processing, including the category of data transferred and the purpose of processing. Lastly, Annex I.C identifies the competent supervisory authority.
In Annexe II, you must list technical and organisational measures to ensure the security of data. The annexe gives some examples of measures. You must describe them in specific terms.
Annexe III lists approved sub-processors when using the option of specific authorisation.
Introducing new contractual clauses for Data Processing Agreements wihtin the EU/EEA
The European Commission also adopted a set of contractual clauses for EU/EEA controllers and processors. These standard contractual clauses concern the provisions necessary for a data processing agreement under Article 28 GDPR (not to be confused with the SCCs that apply to transfers outside of the EU).
Applicability and time limit
The new SCCs are applicable when one party is a controller and the other party is a processor. It must also concern processing within the EU. The new SCCs enter into force on 27 June 2021.
Inclusion in wider contract and docking clause
Like the SCCs for international transfers, the EU-internal SCCs can be included in wider contracts. This cannot lead to the detriment of the SCCs or subjects’ rights. The SCCs and additional clauses must be interpreted in light of the GDPR. In case of a conflict between the SCCs and related agreements, the SCCs prevail according to Clause 4. There is also the option of a docking clause.
What you must do under the new contractual clauses
As with the SCCs for international transfers, the contractual clauses impose certain obligations upon the parties.
Obligations of the Parties
Clause 7 has several subclauses that define the obligations inherent in the SCCS. All of them will be listed below and briefly explained.
- Instructions. You shall only process data on documented instructions.
- Purpose limitation. Data can only be held for the specific purposes listed.
- Duration of processing and erasure or return of data. Processing can only take place for the specified duration.
- Security of processing. You must use appropriate safeguards to protect the data.
- Sensitive data. Transferring sensitive data demands specific restrictions and/or additional safeguards.
- Documentation and compliance. You must be able to demonstrate compliance with the SCCs and document it. The documentation must be available to supervisory authorities and the other party.
Furthermore, any international transfers can only be done on the basis of documented instructions. This transfer must comply with GDPR Chapter V. Additionally, if using a sub-processor leads to an international transfer, they must be bound by an appropriate SCC.
Personal data breaches
If a personal data breach occurs, the processor must assist the controller according to Clause 9. This could be notifying the controller of the breach, including its nature, consequences and measures taken to address the breach. It could also be assisting in notifying competent authorities and obtaining relevant information.
Assistance with data subjects
When receiving requests from data subjects, the processor must notify the controller. They may only respond if authorised to do so. Furthermore, they must assist the controller in their obligations towards data subjects. This is also true for DPIAs and consultation of supervisory authorities.
The use of sub-processors
The use of sub-processors is regulated in Clause 7.7. There are two options. The first option is to use specific prior authorisation. This means that the processor must ask for specific authorisation. This must be done a certain time period before the engagement. The authorised sub-processors must be listed in Annex IV.
The second option is to have general consent. The processor must inform the controller that they intend to use the sub-processor. If the controller does not object within a specified time period, the processor may proceed.
Regardless of which option you use, the sub-processors must have a contract that ensures the same level of protection as the SCCs. However, the responsibility still lies with the processor. The contract must also have a third-party beneficiary clause. This clause must give the controller the right to terminate the contract if the processor has ‘factually disappeared.
Lastly, the controller has the right to a copy of the processors’ agreement with their sub-processor. Business secrets and other confidential information may be redacted.
Non-compliance and termination of the contractual clauses
If the processor is in breach of the SCCs, the controller may suspend the transfers. This is according to Clause 10.
If compliance is not restored within a reasonable time, the data exporter is entitled to terminate the contract. A reasonable time cannot be longer than one month. The same also applies if the breaches are substantial or persistent. It also applies if the data importer fails to comply with a decision regarding its obligations under the SCCs.
The termination of the contract means the return or deletion of data. The exception is when you must retain information due to legal obligations.
Annexes to the SCCs
Annexe I of the SCCs contain a list of parties. This includes their contact details, signature, and accession date.
In Annex II, you describe the processing in detail. This includes, for example, the nature and purpose of processing. For sensitive data, specific restrictions and safeguards are also listed.
You must also describe technical and organisational measures in Annex III. You must do this concretely. Annex III also contains a list of examples for possible measures.
Lastly, Annex IV contains a list of sub-processors. Annex IV is only used in the case of specific authorisation for sub-processors.