On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses for the transfer of personal data to third countries in accordance with the EU’s General Data Protection Regulation (“GDPR”) and a draft of a new standard contractual clauses (the “SCCs”).
The central theses
Key findings related to the draft implementing decision and the SCC include:
- The SCC try to address the complexity of modern processing chains by combining a set of general provisions with several modular provisions that should be selected based on the status of the parties under the GDPR, namely provisions for (1) controller-to-controller transfers , (2) transfers from controller to processor, (3) transfers from processor to processor and (4) transfers from processor to controller (especially if the EU processor combines the personal data received from the controller of a third country with personal data collected in the EU Data).
- The general clauses contain language regarding: (1) the obligation of the parties to ensure that the data protection laws in the receiving country, including any requirements for disclosure of personal data or measures authorizing access by public authorities, do not prevent the data importer from fulfilling its Obligations from the SCCs; (2) Obligations of the data importer in relation to government access requests to inform the exporter of such requests, to verify the legality of the request and to ensure that only the minimum amount of information permitted by law is provided when responding to a request ;; (3) Appeal Mechanism for Data Subjects; (4) Compensation to the parties in the event of a violation of the SCCs; (5) Supervision of transfers by regulatory authorities; (6) Obligations of the parties in the event that the data importer is unable to comply with the SCCs; (7) termination of the SCCs; (8) the ability of the parties to choose the law of one of the EU Member States governing the SCC, which must take into account the rights of third party beneficiaries; and (9) choice of forum and jurisdiction in the event of a dispute arising from the SCCs.
- Controllers and processors should select the module clauses applicable to their situation and align their obligations under the SCCs with their respective roles and responsibilities in relation to the data processing concerned. Depending on the designation of the parties as the controller or the processor, the modular clauses for transfers contain one language in relation to: (1) Data protection measures to be implemented by the parties depending on their designation under the GDPR, including safeguards in Regarding the necessary instructions for transfer, transparency, purpose limitation, accuracy and data minimization, storage limitation, deletion and return of data, security, transfer of sensitive data and data related to criminal convictions or offenses, onward transfers and accountability of the parties; (2) appointment of subprocessors in the context of controller-to-processor and processor-to-processor transfers; (3) rights of the data subject and obligations of the parties in the event of a request for rights of the data subject; and (4) Liability of the Parties under the SCCs.
- Annex I of the SCC must be completed by the parties and (1) contain a description of the transfers, including the categories of data subjects whose personal data are transferred, categories of personal data transferred, purpose (s) of the transfer and further processing, if applicable, maximum retention periods for data and for transmissions to (sub) processors, the object, the type and the duration of the processing; and (2) a list of the parties to the SCCs. The SCCs specifically provide for execution between three or more parties and the addition of additional parties throughout the contract cycle. In addition, Annex II of the SCC should be completed by the data importers to contain a description of the technical and organizational measures that have been implemented to ensure an adequate level of security for the data transferred. Finally, Annex III of the SCCs should list the sub-processors used by the processor, if any.
- Controllers or processors can include the SCCs in a more comprehensive contract and contain additional clauses or protective measures, provided they do not directly or indirectly contradict the SCCs or impair the fundamental rights or freedoms of the data subjects. Controllers and processors are required to take additional protective measures through contractual obligations that complement the SCCs.
- The data subjects must receive a copy of the SCCs upon request and be informed of any change in the purpose and the identity of a third party to whom the personal data is passed on. With regard to forwarding to additional recipients in third countries, transfers are only permitted if (1) the recipient joins the SCC, (2) the protection of the personal data transferred is guaranteed in another way, or (3) the data subjects do so in an informed and explicit manner Approval.
- Controllers and processors can continue to rely on the existing SCCs for a transition period of one year from the acceptance of the new SCCs, provided that the contract remains unchanged, with the exception of the inclusion of the necessary supplementary measures to ensure the transfer of personnel data is subject to appropriate safeguards.
The SCCs can be publicly consulted until December 10, 2020. Feedback can be given here. The adoption process for the SCC requires an opinion from the European Data Protection Board and the European Data Protection Supervisor as well as the positive vote of the EU Member States within the framework of the comitology procedure. The final SCCs are expected to be adopted in early 2021.