Updated instruments for the transfer of personal data to non-EU countries – time to re-contract is running short

28. 06. 2022

Authors: Robert Nešpůrek, Richard Otevřel

Last summer, we informed you that the new Standard Contractual Clauses (“SCCs”) adopted by the European Commission in June 2021 were to be taken into account for the exchange of personal data with non-European foreign countries; a transition period of a year and a half  seemed sufficient even for complex contractual relationships that may involve dozens of companies globally. Well, time has moved on, and if anyone has not already gotten to work, there are barely six months left to ensure that transfers of personal data outside the European Union are covered by the new contractual templates by December 28 at the latest. Perhaps as a small bonus for latecomers, the European Commission has in the meantime responded to current practice in concluding SCCs by issuing a set of questions and answers (Q&As) which it intends to continue to update regularly in the future. The most interesting observations are presented in the text below.

WHAT ARE THE NEW STANDARD CONTRACTUAL CLAUSES?

Pursuant to Article 46 of the GDPR, SCCs are an instrument for establishing appropriate safeguards for the protection of personal data for the transfer of personal data to third countries whose legal order does not guarantee a sufficient level of protection of personal data. Specifically, they are a model text of a contract between a controller or processor of personal data who intends to transfer personal data to a third country outside the European Union and/or outside the EEA (the so-called data exporter) and a recipient of personal data in that third country (the so-called data importer).

While there are also other instruments available for these purposes (such as binding corporate rules, or BCRs), SCCs are the most popular instrument according to a survey – up to 88% of the companies that participated in the survey in 2019 use it specifically for GDPR compliance when transferring personal data outside the EU.

Please see our previous post for a more detailed discussion of the characteristics of SCCs, but it remains true that while the designation “model clauses” may imply their ease of use, the content of the Q&As itself suggests otherwise.

HOW TO ACTUALLY CONCLUDE SCCs?

The SCCs published by the European Commission do not constitute a ready-to-use document in which just the parties and signatures can be added. The very structure of docking, i.e. the preparation of clauses for future accession by other parties (particularly useful in global corporations whose structure changes over time), does not provide a practical solution to how contracting should take place. The Q&As therefore correctly point out that even the method of signing (e.g. whether it can be done electronically) depends on the applicable law chosen and the treatment of this issue typically in the civil codes of the countries concerned. And since docking anticipates that the existing parties to the contract must agree to the addition of, for example, an additional processor, it is advisable to agree on a mechanism for securing such consent.

The European Commission stresses that SCCs cannot be modified (except in expressly specified cases where, on the contrary, a modification is rather necessary); the above is most often solved by inserting SCCs as part of another contract, which will “wrap” the SCCs, so to speak.

TO MODIFY OR NOT TO MODIFY SCCs?

Subsequent work with the text of SCCs requires, while respecting the prohibition on changes to other parts (the sanction for violation of this prohibition would be the practical inadmissibility of SCCs as prima facie evidence of compliance with the GDPR for the purpose of transferring personal data outside the EU, and the need to prove the provision of safeguards for the protection of personal data by other means),

(i) selecting the right modules reflecting the position of the exporter and importer of personal data – in other words, deleting irrelevant clauses from the model contract;
(ii) adding optional data, such as. the governing law, supervisory authorities, etc.;
(iii) completing the annexes where, in addition to the basic parameters of the contract (e.g. categories of personal data to be transferred), a description of the technical and organisational measures to ensure the security of personal data should also be included; and finally
(iv) adding appropriate additional measures to enhance security safeguards, which we mention in more detail below.

The resulting wording of SCCs used in practice can thus be highly individualised and very different from the model. For example, the choice of the right module (one of four) may be complicated by the real characteristics of the contractual relations between the parties concerned, i.e. in the context of commercial cooperation the data importer (e.g. in India) may be partly in the role of controller and partly in the role of processor: these two functions need to be sufficiently distinguished in the contract, but at the same time this does not prevent having both modules covering both options agreed in the same contract.

WILL SCCs BE SUFFICIENT FOR THE USA?

Finally, the Q&As highlight the situation regarding the still unresolved consequences of the Schrems II decision – even if SCCs are used, the parties remain responsible for conducting an assessment of the compliance of the third country’s (to which the personal data is to be exported) legislation, the specific circumstances of the processing, and any and all technical and organisational safeguards. And while the importer in the third country concerned is more likely to be in a position to better or more easily evaluate those issues (it will be easier for a company based in California to consult with Californian lawyers), it is ultimately the data exporter who is primarily responsible under the GDPR for evaluating whether additional measures will need to be added to SCCs to ensure compliance with the requirements of European law (e.g., data encryption, pseudonymization, etc.). For these cases, it is advisable to have a suitable robust methodology in place to both evaluate the legal system of the country where you want to export personal data and what measures to take based on such evaluation.

HOW CAN WE HELP YOU?

With less than 6 months to go, anyone using the old SCCs today (or perhaps even still relying on the invalidated Privacy Shield) will have to negotiate new upgraded standard contract clauses with their business partners.

Our team at HAVEL & PARTNERS will help you to

  • choose the right SCC modules and contracting method;
  • assess the risks (in terms of local laws/legal culture) of the country to which you are transferring personal data, and add provisions reflecting those risks;
  • propose appropriate technical and organisational measures – tailored to the scale of the data to be transferred;
  • add provisions on indemnity and coverage of other risks that may not be adequately covered in the model SCCs.

Related media

BE UP TO DATE

Subscribe
Fill in your e-mail and get regular news from the world of law and business.

Contact Us

Copyright © 2024 HAVEL & PARTNERS s.r.o., advokátní kancelář
cross