New standard contractual clauses published
The European Commission published the new EU Standard Contractual Clauses for transfers of personal data to third countries on 04.06.2021. The new standard contractual clauses are intended to simplify international data transfers and take into account the requirements of the Schrems II ruling.
Requirements
- “Schrems II” obligations implemented: The new standard contractual clauses explicitly oblige users to check whether the data importer is in a position to comply with the contractual regulations with regard to the legal situation in the third country, in particular with regard to protection against disproportionate access by authorities.
- Mandatory data transfer impact assessment: The parties must affirm that they have no doubts about compliance with European data protection standards in the country of the data importer. This assessment of the adequacy of data protection in the recipient country based on the measures taken must be documented and submitted to the supervisory authorities upon request.
- Defend against official requests for information: The data importer must defend itself against official requests for information to the extent permitted by law and inform the data exporter and data subjects accordingly.
- Liability clause: The new standard contractual clauses provide for liability of the parties for breaches of duty not only vis-à-vis the persons concerned, but also in relation to each other.
- “docking clauses”: additional parties can join the standard contractual clauses.
Structure
The new standard contractual clauses are structured according to the following modules:
- Module 1: EU controller and processor in the third country
- Module 2: EU and third country controller
- Module 3: EU processor and third country controller
- Module 4: EU Contract Processors and Sub-Processors in Third Countries
Implementation period
The new standard contractual clauses must be used for new contracts by 27.09.2021 at the latest. All old contracts must be converted to the new standard contractual clauses by 27.12.2022 at the latest.
Outlook
The EU Commission’s new standard contractual clauses update this instrument, which is indispensable in practice for enabling data exchange with third countries. They thus eliminate many ambiguities that have arisen, especially after the Schrems II decision.
The provision of different modules increases the flexibility for the participants. Whereas previously only the controller could conclude the standard contractual clauses, the new design of the standard contractual clauses also allows for a regulation between service providers in the EU and sub-service providers outside the EU.
Nevertheless, in its decision on the standard contractual clauses, the EU Commission also explicitly points out that the transfer of personal data on the basis of the standard data protection clauses should not take place if the law and legal practice in third countries prevent the data importer from complying with the contractual obligations. Accordingly, even when applying the new “standard data protection clauses”, data-exporting companies will regularly have to check which laws apply in the third country and whether they are compatible with the standard contractual clauses. This assessment (“Data Transfer Assessment”) must be documented and submitted to the supervisory authorities upon request. Therefore, in the future it will no longer be sufficient to fill in only the respective module. It must also be explained why an adequate level of data protection is achieved in practice by the measures taken. The Data Protection Conference also explicitly points out this aspect: https://www.datenschutzkonferenz-online.de/media/pm/2021_pm_neue_scc.pdf
The new standard contractual clauses are available here.
We will be happy to send you the special edition of Privacy News, which provides an overview of the new standard contractual clauses. In addition, the European supervisory authorities have launched a questionnaire campaign as part of a coordinated action and specifically approached selected companies about data transfers to recipients outside the EU.