Author: Robert Nešpůrek, Richard Otevřel
If you do business in any field that includes transfers of data (personal data included) to and from foreign countries, non-EU countries in particular – and today it hardly matters whether you work in the digital environment and process data on a day-to-day basis, or whether you run a machine engineering production and your global management works with the data of your customers and employees outside the EU or whether you use, for your local business, the support of software tools coming from Silicon Valley – then you must have asked yourself with the arrival of the GDPR three years ago what would happen to data transfers outside the GDPR zone.
Three years later, the European Commission has answered the question, having prepared a change to the existing set of eleven- and twenty-year old contractual templates known as Standard Contractual Clauses (“SCCs”).
The new SCCs were introduced by the European Commission in its decision of 4 June 2021 entering into force on 27 June 2021. The Commission prepared the new SCCs in accordance with the General Data Protection Regulation (the “GDPR”), aiming to reflect the judgment of the Court of Justice of the European Union in the Schrems II case and the subsequent recommendation of the EDPB concerning this judgment.
Within the meaning of Art. 46 of the GDPR, SCCs constitute a tool for creating appropriate safeguards for the protection of personal data when transferring it to third countries with a legal system that fails to ensure a sufficient level of personal data protection. Specifically, it is a template of a contract between the controller or the processor intending to transfer personal data to a third country outside the EU or the EEA (data exporter), and the recipient of personal data in that third country (data importer).
The new SCCs respond to technological and social progress as well to the necessity to ensure a sufficient level of personal data protection. The existing SCCs were adopted in 2001 and 2010, well before the GDPR entered into force. In practice, they had to be adapted to the business reality of the given cooperation (this included, for example, global companies’ holding structures), but posed a risk of no longer being considered SCCs due to the adjustments.
The Commission has prepared the new SCCs in compliance with the GDPR and with the objective to reflect the Schrems II judgment of the CJEU and the subsequent recommendation of the European Data Protection Board regarding this decision.
As a result, the most usual kinds of adaptations in use were “promoted” to a template, with its modular approach (see further below) allowing for a greater extent of permitted changes to the SCCs. Naturally, compared to the earlier situation, the SCCs now include additional duties introduced by the GDPR. At the same time, there is a clear statement that in the relationship between the controller and the processor, the SCCs fulfil the role of a data processing agreement under Art. 28 of the GDPR.
The new standard contractual provisions may be used since the date of entry of the decision into force on 27 June 2021.
However, the European Commission introduced two grace periods.
In our view, it is very risky to rely on this grace period, as processing operations rarely remain unchanged, and it might not be as useful to try to legally compare the safeguards under the old and new SCCs as to simply implement a new contract. After all, a number of supervisory authorities across the EU have already recommended that data exporters should implement the new SCCs as soon as possible rather than waiting until the end of the grace period next year.
The aim of the adopted decisions on SCCs is to provide companies with comprehensive contractual tools to ensure a European standard of personal data protection in line with the requirements contained in the GDPR even after the personal data are exported from the EU.
In contrast to the existing SCCs, which only applied to limited types of personal data transfers, the new SCCs introduce a modular principle reflecting the complexity of legal relationships and different circumstances of the transfers.
The new SCCs are of particular interest to companies for which the existing SCCs were not suitable due to their limitations, or for companies – controllers, processors or sub-processors alike – for which the transfer of personal data may be at risk due to the invalidation of the Privacy Shield.
You may have heard that compared to the existing practice, the new SCCs simplify the implementation of the clauses. In any case, it still is a complex document offering many options for the resulting solution.
In terms of legal certainty, the new SSCs introduce modules to be chosen by the data exporter, allowing for the same template to be adapted to a specific case of processing, i.e. whether it is a relationship between two controllers, two processors, or even between an EU-based processor and a non-EU controller. As part of the modules, specific options may be selected, such as the mode of engaging sub-processors. In addition to these modules, the SCCs contain parts that cannot be changed; otherwise, there is quite an obvious risk that the requirements of the GDPR will no longer be met.
The SCCs also contain provisions to be completed by the parties, such as categories of personal data to be transferred, technical and organisational measures, etc.
Regarded as a major impact of the Schrems II decision, the new SCCs require the parties to assess the compliance of the third country laws, the specific circumstances of the processing as well as all technical and organisational safeguards.
In other words, SCCs cannot be a mere formality. It must be actually verified that their provisions are enforceable, and that foreign law will not render them an ineffective document. Above all, the data exporter, as the one primarily responsible under the GDPR, must therefore carefully evaluate all the above-mentioned circumstances and implement the necessary measures (and ideally incorporate them into the SCCs, e.g. as part of technical and organisational measures) to ensure the compliance with the requirements of EU law (such as data encryption, pseudonymisation, etc.).
Further, the new SCCs introduce new obligations for data importers. These specifically include the importer’s extensive duty to inform the data exporter where a public authority requests the transferred data. In this respect, under the new SCCs, the third country importer must review the lawfulness of the third country public authorities’ requests for access to personal data, keep records of its actions in dealing with such requests, and, upon request, demonstrate its efforts made.
Under the new SCCs, the data importer must inform the data exporter without undue delay if it is unable to comply with these clauses for any reason, such as its own personal reasons or perhaps a change in the given country’s laws. Hence, if, for whatever reason, the importer is unable to ensure compliance with the clauses, the exporter must suspend the transfer of personal data. The exporter also has right to terminate the SCCs if there is no remedy within one month or the importer materially breaches the provisions of the SCCs.
Finally, it is to be welcomed that the SCCs expressly introduce the option to choose the applicable law of any EU Member State (the only requirement is that such law does not hinder data subjects to be also beneficiaries of these contractual clauses – as a primarily bilateral contractual relationship), and the option to choose a specific EU Member State court to decide a potential dispute.
This choice, however, also implies a practical problem of how to actually conclude the contractual clauses in order to ensure that they work properly under the chosen applicable law, binding both the importer and the exporter of personal data, or, if applicable, other parties that can use a “docking clause” to join the SCCs, which is a useful option for wide-spread global groups in particular.
There are less than 17 months left before everyone using the original SCCs today (or perhaps even still relying on the invalidated Privacy Shield) will have to have new modernised standard contractual clauses negotiated with their business partners.
Our team at HAVEL & PARTNERS will help you
