On 4 June 2021, the European Commission published the long-awaited updated Standard Contractual Clauses (“SCCs”). These modernised SCCs will replace the three current sets of SCCs that were adopted under the Data Protection Directive 95/46, the predecessor of the GDPR. As these SCCs were adopted as early as in 2004 and 2010, it was high time for the SCCs to be modernised, reflecting the current challenges, developments and the globalized online world. .
This blogpost will provide an overview of the most relevant new clauses and steps that need to be taken by organisations currently relying on SCCs or planning to enter into SCCs. We will also briefly describe the current “transfer landscape” to show where this newly adopted document sits within the possibilities of transfers as a whole, as well as a brief update regarding transfers to the UK.
As follows from the name, SCCs do not include detailed obligations aimed at specific situations. The SCCs – both the current and updated versions – contain standardised clauses embodying general obligations following from data protection legislation, such as the principle of purpose limitation and security.
As follows from the implementing decision of the European Commission, the SCCs only apply to transfers to data importers to the extent that the processing by the importer does not fall within the scope of the GDPR.
Please click here for more information on the territorial scope of the GDPR.
The updated SCCs consists of a single document, containing four different modules:
- Controller to controller: contains general requirements following from data protection principles. It is unclear whether this module can be applied 1-on-1 regarding joint controllers;
- Controller to processor: clauses largely align with Article 28(3) GDPR (requirements regarding data processing agreements);
- Processor to processor: clauses largely align with Article 28(3) GDPR (requirements regarding data processing agreements);
- Processor to controller: this module applies to the situation where the GDPR only applies to the processor and not to the controller. This module does not contain a clause regarding onward transfers.
This is a huge improvement over the current SCCs, given that under those current clauses, EEA processors are not able to conclude SCCs with non-EEA sub-processors without, for instance, a clear mandate of the controller. As we often see situations involving multiple processors, this was not efficient at all. The updated SCCs thus provide more flexibility and clarity as organisations can ‘pick’ the modules that are applicable to the specific transfer situation in a single document. The clauses can therefore also be easily incorporated in a broader agreement as a whole.
Modules 1-3 contain the possibility of onward transfers. An onward transfer entails disclosing personal data “to a third party located outside the EEA in the same country as the data importer or in another third country”. In all three modules, this is only allowed if:
- That country has obtained an adequacy decision;
- That country has met one of the requirements of Art. 46 or 47 GDPR;
- That third party enters into a binding instrument with the data importer ensuring the same level of data protection as under the SCCs;
- It is necessary for legal proceedings or legal claims;
- It is necessary in order to protect the vital interests of the data subject; or
- If none of the above applies, if the data subject has provided explicit consent.
The above requirements also apply if the recipient of the onward transfer is a sub-processor. In addition to approval of the controller or processor for the engagement of sub-processors, one of the requirements thus must be met as well.
Schrems II: ‘investigation requirement’
The recent Schrems II-judgment has dropped quite a bomb on the possibility to transfer personal data on the basis of SCCs as we explained here. As follows from this judgment, transferring personal data to third countries cannot be a means to undermine or water down the protection in the EEA. Therefore, controllers or processors are responsible for verifying, on a case-by-case basis, whether the law or practice of the third country impinges on the effectiveness of the appropriate safeguards of the GDPR. If this is the case, the CJEU still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law.
The foregoing has been embodied in the updated SCCs. As follows from its Clause 14, parties must “warrant that they have no reason to believe that the laws and practices in the third country of destination (…) prevent the data importer from fulfilling its obligations under these Clauses”. It is also specifically mentioned that an assessment must be made containing information on laws of the specific country, as well as security measures. This assessment may be requested by the Supervisory Authority, entailing that the principle of accountability also applies here.
Please note that this ‘investigation requirement’ also applies under the current version of SCCs. Unfortunately, the new SCCs do not solve all underlying issues of the Schrems case. SCCs without additional measures may still be an insufficient basis for a transfer if the laws and practices in an importing country prevent the data importer from fulfilling its obligations under the SCCs.
The current SCCs will be repealed three (3) months after the updated SCCs have entered into force (precise date is still unclear). After this three-month period, parties that already concluded SCCs have 15 months to change to the updated version. This entails the following:
1. Parties that have already concluded SCCs
Current SCCs have to be changed to the updated version within 18 months (3 + 15) after the updated version has entered into force.
2. Parties wishing to conclude SCCs within 3 months after the updated SCCs enter into force
The current SCCs may still be used. This is however very inefficient given that parties have to change to the updated version within 15 months (see situation 1).
3. Parties wishing to conclude SCCs after the current SCCs have been repealed
The current SCCs are no longer valid. Parties need to use the updated SCCs.
There are a few options when it comes to transferring personal data outside the EEA. The updated SCCs will not become an additional option, but will replace the current versions of the SCCs. Transfers may only take place if the one of the below measures can be invoked. Please see the overview below:
Update on the UK
The United Kingdom (“UK”) withdrew from the EU on 31 January 2020 and the transitional period during which EU law continued to apply in the United Kingdom ended on 31 December 2020. As of 1 January 2021, transfers of personal data to the UK are governed by the EU-UK Trade and Cooperation Agreement (“TCA”). The TCA provides for an interim regime that ensures the full continuity of data flows between the EEA and the UK, with no need for companies and public authorities to put in place any transfer tool under the GDPR. This solution is applicable for a period of maximum six months and would thus, by operation of law,end this month.
The European Commission launched the procedure for the adoption of two adequacy decisions for transfers of personal data to the UK in February. This procedure has, however, not yet been finalised. If there is no adequacy decision on 30 June 2021, transfers to the UK must, pursuant to the current agreements, be based on either BCRs, SCCs or – if possible – exceptions.
Please see our earlier blogpost about this topic for more information.
If you have any questions on international transfers, please do not hesitate to contact us.
This blogpost was written by Sophie Hendriks