The European Commission officially adopts new Standard contractual clauses for personal data transfer to third countries

Share this publication

The Decision on the adoption of the new Standard contractual clauses (SCC) of the European Commission (EC) was published in the Official journal of the EU on 7th June, 2021 and will enter into force on 27th June, 2021.

The currently effective decisions which have established previous SCC – Decision 2001/497/ЕО and Decision 2010/87/ЕС shall be repealed with effect from 27th September, 2021. Contracts concluded before this date on the basis of these Decisions shall be deemed to provide appropriate safeguards until 27 December 2022, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.

The new standard contractual clauses will be applicable not only to transfer relations controllertoprocessor, controllertocontroller, but also in case of data transfer in the relations processortocontroller and processor-to-processor. Major step ahead in the data transfer regulation is the possibility to include SCC in agreement concluded between data exporter and a third party, both of them not established in the EU, in case the data exporter is subject to the GDPR (and therefore to the data export rules) by virtue of the GDPR’s extraterritorial scope provided in Article 3(2).

The new SCC represent a compilation of common clauses applicable to all different lines of data transfer to third countries and modular clauses which will be applicable after having considered the legal position of the parties in their relations – controllertocontroller, controllertoprocessor, processortoprocessor or processortocontroller.

What is new?

The SCC agreement may be concluded as a multilateral one but if concluded as bilateral there is a possibility for new data importers/exporters to be added to them beyond the initial ones through the so-called Docking clause – this will be in great use for the associated enterprises or when a new company is acceding to a group of companies – in such case an accession agreement may be concluded easily.  

The controllers and processors may incorporate the SCC in an agreement with wider scope of protection as long as those additional clauses do not contradict, directly or indirectly, the SCC or prejudice the fundamental rights or freedoms of data subjects.

What about the guidelines in the Court’s decision – Schrems II?

The EC gives us whole section “Local laws and obligations in case of access of public authorities” which is structured following the requirements in the case-law mentioned above. The provisions in this section do not have modular approach and are applicable directly to each possible kind of legal relations between controllers and processors.

The first clause in the Section provides that each party warrants that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer prevent the data importer from fulfilling its obligations under these Clauses.  In order to ensure this the parties must take into consideration the specific circumstances of the transfer, the laws and practices of the third country of destination and any relevant contractual, technical or organizational safeguards put in place. This whole process must be documented and made available to competent data protection supervisory authorities on request. This assessment may include reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer.

The data importer is obliged to notify the data exporter and the concerned data subject in case of receiving a legally binding request from a public (including judicial) authority under the law of the country of destination for disclosure of personal data transferred pursuant to the standard contractual clauses. If the data importer is not in a position to notify the data exporter and/or the data subject of specific disclosure requests, it should provide them with as much relevant information as possible on the requests. In case the data importer concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the third country of destination, it should challenge it, including, where appropriate, by exhausting available possibilities of appeal. In any event, if the data importer is no longer able to comply with the standard contractual clauses – even if it is because of the public authorities, it should inform the data exporter accordingly. In such case if appropriate safeguards for mitigating the risk for the personal data cannot be undertaken, the data exporter may terminate the agreement (including the data transfer) – а serious outcome that may reasonably concern business partners outside the EU as long as the deal’s “lifetime” may be ended by circumstances standing outside the parties’ will and possibilities.

Like the effective SCC the new ones contain annexes in which the parties specify the manner of the data transfer. The annexes are 3 and concern the following:

  1. List of the parties, description of the transfer and information about the competent supervisory authority;
  2. Technical and organisational measures including technical and organisational measures to ensure security of the data;
  3. List of sub-processors.

With the completion of those annexes the parties should clarify, in concrete manner, their relations concerning the data transfer.

Previous Post
DAC7 – improving tax transparency in reporting taxable income gained through digital platforms
Next Post
The EU Digital COVID Certificate will be in use in the whole EU by 1st July
Read more
keyboard_arrow_up
Skip to content