New Standard Contractual Clauses for the international transfer of personal data
There are different adequate safeguards on which the transfer of personal data to countries/organizations outside the European Economic Area (EEA) can be based, including the Standard Contractual Clauses (SCCs).
Because of Schrems II, however, the SCCs were under attack. Thereby, the SCCs had not yet been updated with the arrival of the General Data Protection Regulation (GDPR). The new SCCs were therefore highly desired, and they are available since June 4, 2021!
Structure
The new SCCs consist of a general part and a modular part, where within the modular part you can choose the module that matches the applicable privacy positions. The general part regulates matters such as the purpose and subject of the SCCs, prioritization, possibility to add parties to the SCCs and general guarantees. Thereby, general annexes have been added in which relevant parties, personal data, data subjects, details about the transfer, the competent supervisory authority, security measures and the sub-processors can be further specified. For the modular part, you can choose from four modules that apply to four different situations:
- Transfer of personal data from a controller (data exporter) to a controller (data importer);
- Transfer of personal data from a controller (data exporter) to a processor (data importer);
- Transfer of personal data from a processor (data exporter) to a processor (data importer);
- Transfer of personal data from a processor (data exporter) to a controller (data importer).
Within these modules, a number of options is offered. For example, you can choose between giving general or specific permission for the engagement of sub-processors.
Rules for usage
The new SCCs can be used for the transfer of personal data to third countries (countries outside the EEA), where the data exporter can be located in a country within the EEA but also outside the EEA (as he/she falls under the scope of the GDPR). In addition, the SCCs can be expanded and/or supplemented at any time with new parties that are added as (sub-)processors, but also new parties that hold a position as a data importer or a data exporter. Furthermore, as with the previous SCCs, no changes may be made to the articles by the parties. For example, matters such as liabilities, provided guarantees and information obligations are all set in stone. However, the SCCs may be included in a ‘larger’ contract and provisions may be added, provided they do not contradict to the SCCs.
Five striking changes
Besides the fact that the new SCCs are more extensive, offer more options and contain provisions on the relevant GDPR elements, the following points stand out:
- The situations to which the SCCs apply have been expanded (because of the four modules, which make the SCCs suitable for the transfer of personal data between parties with four different privacy positions instead of two, and the applicability to a data exporter vested both outside and inside the EEA instead of only being able to be vested within the EEA).
- The flexible approach that allows multiple parties to be added or deleted as a data importer or data exporter, at any moment.
- The implementation of Schrems II requirements, by which an obligation is created for the data importer to perform a preliminary assessment of the applicable legislation and the possible obligation to disclose personal data or fulfill measures that authorize access to the data exporter’s personal data by public authorities. And, in addition, the obligation that when requests for personal data from public organizations are received, they must be rejected/contested where possible, the data exporter must be informed (where possible) and the data importer must register these requests and at least should provide information on an aggregated level about it to the data exporter.
- The parties have unlimited liability towards data subjects for non-compliance with the SCCs, but also towards each other. It is questionable whether the parties cannot contractually limit their liability towards each other.
- The parties are free to choose the applicable legal system and jurisdiction (under the old SCCs this was automatically the same as that applicable to the country of the data exporter).
Transition period
Officially, the new SCCs can be used from June 27, 2021. However, until September 26, 2021, organizations may continue to use the old SCCs due to the transition period. From September 27, 2021, only the new SCCs may be used for new contracts. Furthermore, organizations will have until December 27, 2022 to replace all their already closed old SCCs with new SCCs.
Would you like to know more about the new SCCs or do you need help with replacing your old SCCs? Please feel free to contact us.
Michelle Wijnant, Legal Counsel IT, IP & Privacy ([email protected])
Natascha van Duuren, Partner IT, IP & Privacy ([email protected])