Cláusulas Tipo

This post is also available in: Español

In line with the recommendations adopted by the European Data Protection Board (“EDPB”) on measures supplementing international transfer tools discussed in this blog entry, on November 12, 2020, the European Commission (“EC”) published the draft standard clauses for controller to processor contracts (“Standard Contractual Clauses” or “SCCs”) adapted to the General Data Protection Regulation 2016/679 (“GDPR”).

The EC has opened a public consultation period for this draft lasting until December 10.

See below the main changes in the draft with respect to the previous standard clauses, which were adopted through EC Decisions 2001/497/EC and 2010/87/EU implementing repealed Directive 95/46/EC:

  • The draft completely modifies the structure and content of the SCCs, providing various modules depending on the relationship between the data exporter and the data importer. It provides for the following possible transfer combinations:
    • controller to controller;
    • controller to processor;
    • processor to processor; and
    • processor to controller.
  • The draft arranges each module based on various pillars, mostly to comply with the general principles provided in article 5 of the GDPR. In particular, the draft provides obligations regarding:
    • purpose (see article 5.1 b) GDPR);
    • transparency (see article 5.1 a) GDPR);
    • accuracy and data minimization (see paragraphs c) and d) of article 5.1 GDPR);
    • storage limitation (see article 5.1 e) GDPR);
    • security of processing (see articles 5.1 f), 25, 32 and 34 GDPR);
    • special categories of data;
    • onward transfers;
    • documentation and compliance (accountability principle of article 5.2 GDPR).
  • In line with the Court of Justice Schrems II judgment and the subsequent EDPB recommendations, the draft adds two significant sections regarding (a) local laws or regulations affecting compliance with the SCCs and the rights guaranteed by them; and (b) obligations of the data importer, including notification, in case of government access requests.

This can be considered the most significant development in light of the Schrems II judgment.

  • The SCCs have two other sections, related to sub-processors and data subject rights.
  • The last clauses are broader, covering aspects like liability and compensation, non-compliance and termination of the transfers and contracts where the SCCs are included.
  • Generally, the annexes are similar to the previous version, but annex II on technical and organizational measures adds many examples that should be considered.

The EC decision implementing this new draft will also repeal EC Decisions 2001/497/EC and 2010/87/EU, and therefore the previously applicable standard clauses. However, these previous clauses will remain in force for an additional year so that controllers and processors (exporters and importers) can update the standard clauses, as long as the contracts to which they refer are dated before the entry into force of the new SCCs.

Authors: Adaya Esteban and Jorge Monclús

This post is also available in: Español

Autores:

Consejero

97 artículos

Jorge Monclús

jorge.monclus@cuatrecasas.com

Asociada

91 artículos



adaya.esteban@cuatrecasas.com