New standard contractual clauses published
The European Commission published the new EU standard contractual clauses for transfers of personal data to third countries on June 4, 2021. The new standard contractual clauses are intended to simplify international data transfers and comply with the requirements of the Schrems II ruling.
Requirements
- “Schrems II” obligations implemented: The new standard contractual clauses explicitly oblige users to check whether the data importer is in a position to comply with the contractual regulations with regard to the legal situation in the third country, in particular with regard to protection against disproportionate access by authorities.
- Mandatory data transfer impact assessment: Parties must guarantee that they have no doubts about compliance with European data protection standards in the country of the data importer. This assessment of the adequacy of data protection in the recipient country based on the measures taken shall be documented and submitted to the supervisory authority upon request.
- Defend against official requests for information: The data importer must defend itself against official requests for information to the extent permitted by law and inform the data exporter and data subjects accordingly.
- Liability clause: The new standard contractual clauses provide for liability of the parties for breaches of duty not only vis-à-vis the persons concerned, but also in relation to each other.
- “docking clauses”: additional parties can join the standard contractual clauses.
Structure
The new standard contractual clauses are structured as follows:
- Module 1: EU controller and processor in the third country
- Module 2: EU and third country controller
- Module 3: EU processor and third country controller
- Module 4: EU Contract Processors and Sub-Processors in Third Countries
Implementation period
The new standard contractual clauses must be used for new contracts by September 27, 2021 at the latest. All old contracts must be converted to the new standard contractual clauses by December 27, 2022 at the latest.
Outlook
The EU Commission’s new standard contractual clauses update this instrument for data exchange with third countries, which is indispensable in practice. They thus eliminate many ambiguities that arose in particular after the Schrems II decision.
Providing different modules increases flexibility for stakeholders. Whereas previously only the responsible party could conclude the standard contractual clauses, the new design of the standard contractual clauses also makes it possible to regulate between service providers in the EU and sub-service providers outside the EU.
Nevertheless, in its decision on the standard contractual clauses, the EU Commission explicitly points out that the transfer of personal data on the basis of the standard data protection clauses should not take place if the law and legal practice in third countries prevent the data importer from complying with the contractual obligations. Therefore, even when applying the new “standard data protection clauses”, data-exporting companies will have to regularly check which laws apply in the third country and whether they are compatible with the standard contractual clauses. This assessment (“Data Transfer Assessment”) must be documented and submitted to the supervisory authorities upon request. Therefore, in the future it will no longer be sufficient to fill out only the respective module. Rather, it must be shown why an adequate level of data protection is achieved in practice by the measures taken. The Data Protection Conference also explicitly points out this aspect: https://www.datenschutzkonferenz-online.de/media/pm/2021_pm_neue_scc.pdf
The new standard contractual clauses are available here.
We will be happy to send you a special edition of Privacy News, which provides an overview of the new standard contractual clauses. In addition, the European supervisory authorities have launched a questionnaire campaign as part of a coordinated action. Selected companies were approached specifically about data transfers to recipients outside the EU.