This post is also available in: Español
The European Commission has just published the final version of the new and highly anticipated Standard Contractual Clauses (SCCs) that will be used to ensure an appropriate degree of personal data protection in certain international data transfers. The European Commission had previously published a first version of the SCCs subject to public consultation.
The previous SCCs, repealed by the new ones, were one of the most common mechanisms to ensure an adequate degree of protection in international transfers. These SCCs were under review to be updated, as they preceded the General Data Protection Regulation coming into effect. This review process was hastened by the Court of Justice of the European Union’s Schrems II Judgment, which, while it considered them valid, concluded that, in some cases, they may not be sufficient to ensure appropriate safeguards.
We analyze the most significant points of the SCCs below.
The new SCCs have a modular structure, and their wording is different based on the scenario in which they are used. Thus, the SCCs envisage four different international data transfer scenarios:
- controller to controller (C-C)
- controller to processor (C-P)
- processor to controller (P-C)
- processor to processor (P-P)
With regard to different scenarios, the modular structure of the new SCCs takes into account two scenarios that were not envisaged in the previous clauses (P-C and P-P).Therefore, the new SCCs better address the different scenarios by dividing them into four different sections: (i) an introduction, with general clauses on interpretation and hierarchy; (ii) a second section listing the parties’ obligations; (iii) a third one on local laws and access to data by the authorities; and (iv) a fourth section with final provisions such as the governing law and jurisdiction clauses. The C-C and P-C scenarios also include two annexes on processing features and technical and organizational measures, while the C-P and P-P scenarios include another annex to list sub-processors.
Furthermore, the new SCCs contain all the information required to engage sub-processors, so it will not be necessary to sign an additional processing commission agreement.
Entry into force
The new SCCs enter into force on June 27, 2021, so they can start to be included as a mechanism to ensure adequate safeguards for data that are going to be transferred internationally from that date. However, the previous SCCs can continue to be used for a transitional period of 15 months after the new SCCs come into effect, i.e., until December 27, 2022, provided (i) the processing subject to the SCCs does not change, and (ii) it is possible to ensure an adequate degree of personal data protection.
The European Commission’s initial proposal envisaged a transitional period of one year. The extension of that transitional period to 15 months was requested in a large number of the responses received by the European Commission during the public consultation on the new SCCs.
In terms of the content of the new SCCs, we highlight the following:
- Accession clause: the new SCCs allow third parties to join the signatories with no need to amend or sign new SCCs. This makes it far easier to use this mechanism, for example, when many processors are involved in a single processing.
- Data transfers: transferring data subject to the SCCs to third parties outside the European Economic Area is prohibited, unless (i) it is to a country benefiting from an adequacy decision from the Commission; (ii) an adequate degree of data protection is ensured through other mechanisms (such as signing the SCCs, binding corporate rules and codes of conduct); (iii) it is necessary to establish, exercise or defend against claims; or (iv) it is necessary to protect data subjects’ vital interests.
- Information: for C-C international transfers, data controllers located outside the European Economic Area to which the data are transferred must provide information on (i) their identity and contact details; (ii) the categories of personal data they are going to process; (iii) the right to obtain a copy of the signed SCCs; and (iv) whether they intend to transfer the data to a third party, the categories of third parties that will access the data, the purpose of the transfer and the contractual grounds for the transfer.
- Identification of the competent authority: the data protection authority of the Member State in which the party transferring personal data outside the European Economic Area is based will oversee the transfer. When the party transferring the data outside the European Economic Area is not based in the European Union, the data protection authority of the Member States in which its representative is located will oversee the transfer.
- Technical and organizational measures: unlike the previous SCCs, the new ones include specific technical and organizational measures for the four scenarios envisaged. The previous SCCs only included a detailed description of the technical and organizational measures for C-P transfers.
- Joint and several liability: data subjects can claim any damages caused by any of the parties involved in the international transfer from any of those parties, regardless of whether the parties involved subsequently claim against the party that actually caused the harm.
Following the Court of Justice of the European Union’s Schrems II Judgment, the new SCCs also include obligations aiming to (i) assess the impact of the international transfer and (ii) know how to act if a data access request from the authorities is received.
The publication of the final version of the new SCCs implies that all companies must:
- update the SCCs they have already signed; and
- update their own international transfer protocols to include the cases in which the new SCCs can be used.
Authors: Pedro Méndez de Vigo and Jorge Monclús
This post is also available in: Español