European Commission publishes new Standard Contractual Clauses
In a ruling invalidating the EU-US Privacy Shield, the Court of Justice confirmed the validity of the EU Standard Contractual Clauses (SCCs) for the transfer of personal data to processors outside the EU or European Economic Area in July 2020. The Court ruled that international data flows under the EU’s data protection regime, the General Data Protection Regulation (GDPR), can continue based on EU SCCs however, mandated that the Commission adapt and update its SCCs to be more aligned with GDPR and amongst other requirements, include the additional clauses on supplementary measures. The EDPB published draft guidelines on supplementary measures which was consulted upon late last year.
On June 4, the European Commission adopted two new sets of standard contractual clauses (SCCs); one to be used by data processors and data controllers; and the other for transfers of personal data to third countries not covered by an EU adequacy agreement.
The key updates to both sets of SCCs include:
- Update in line with the General Data Protection Regulation (GDPR);
- One single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- More flexibility for complex processing chains, through a ‘modular approach' and by offering the possibility for more than two parties to join and use the clauses;
- Practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures', such as encryption, that companies may take if necessary
The new SCCs are intended to better comply with GDPR requirements following the Schrems II ruling of the EU Court of Justice through the use of standards and pre-approved provisions. However, the new SCCs do not completely do away with the uncertainty generated by the Schrems II decision, which also requires companies to run a case-by-case for third countries where GDPR adequacy is not ensured. The new SCCs come with a ‘practical toolbox’ that is meant to guide organisations on how to comply with the Schrems II case law.
The SCCs provide a template for data protection provisions that should be included in business-to-business agreements that involve the processing of personal data, hereby supporting European companies and SMEs to be GDPR compliant in their contractual arrangements
They will come into force twenty days following their publication in the Official Journal of the EU. The updated SCCs include many obligations for both data exporters and importers which will require careful assessment. For controllers and processors that are currently using previous sets of standard contractual clauses, a transition period of 18 months is provided. The Commission will also review ‘periodically’ the SCCs in light of changing technology and processing operations.
Using the new SCCs for controllers and processors:
The new SCCs include a provision that controllers must carefully assess the capabilities of processors before entering into a contract or other legal agreement with them; using processors that “provide sufficient guarantees” such as expert knowledge, reliability and resources.
The contractual agreement maintains additional broadening and flexibility. The controller and processor are free to include the SCCs in a broader contract, and to add other clauses or additional safeguards provided that they do not contradict the SCCs or prejudice the fundamental rights or freedoms of data subjects. Third parties can also join the SCC throughout the lifecycle of the contract.
It is required that controllers and processors clearly list out both substantive and procedural rules, notably:
- The subject matter and duration of the processing;
- The nature and purpose of the processing;
- The type of personal data concerned;
- The categories of data subjects; and
- The obligations and rights of the controller.
In terms of on-site audits by controllers, the new SCCs maintain that audits may still be requested, however, processors must be provided with “reasonable notice”. With regards to obligations of the processor under these contractual arrangements, the processor must “immediately” inform the controller if the controller’s processing instructions infringe upon GDPR or other Union/Member State laws on data protection.
The controller may also terminate the contract if the controller has suspended the processing of personal data; if the processor is in ‘substantial or persistent breach’ of the SCC; and/or if the processor does not comply with court rulings or supervisory authorities’ rulings.
If a contract is suspended, the processor may delete all personal data on behalf of the controller, but the controller must certify this deletion and there is no indication of the timeframe provided with this deletion certification requirement.
In Annex III, the Commission provides a list of supplementary technical and organisational measures to ensure the security of the data. These measures need to be described concretely and not in a generic manner and include measures of pseudonymisation and encryption of personal data, measures for user identification and authorization, and measures for ensuring data quality, among others.
Using the new SCCs for international transfer:
An interesting aspect of the updated SCCs is that they exercise a modular approach which aims to cater for various transfer scenarios and provide flexibility to controllers and processors with complex modern processing chains.
The new SCCs maintain the third-party disclosure requirement that data importers must directly or indirectly inform the data subject as to whether the importer ‘intends’ to onward transfer data to third parties. With regards to the certification of deletion of data, the new SCCs maintain the approach that goes beyond Article 28(3)(g) of the GDPR that importers must ‘certify’ to the data exporter that all personal data has been deleted (upon deletion request of the data exporter).
The parties should take account of the specific circumstances of the transfer (see substantive and procedural rules above) as well as the laws and practices of the third country of destination that are relevant in light of the circumstances of the transfer. The parties must then put in place relevant safeguards or contractual measures to mitigate the impact of third country potentially intrusive laws. When assessing third country laws, parties may take into consideration the following:
- Reliable information (case law independent oversight reviews).
- Previous third country government requests ‘in the same sector’
- Requests only submitted under strict conditions.
- Document experiences from partiers.
In addition, the data importer must inform both the data exporter and the data subject if it receives a legally binding request and/ or if it becomes aware of any direct access from the third country.