New EU standard contractual clauses
The EU Commission has published new standard contractual clauses. Data exchange with companies in third countries must be safeguarded by the new clauses until December 27, 2022.
The EU Standard Contractual Clauses (SCC) set out data protection conditions for the transfer of personal data to third countries outside the European Union. Since July 16, 2020, the SCCs have been confirmed by the European Court of Justice as a valid instrument for confirming an adequate level of protection for data processing operations in the third country.
On June 4, 2021, the European Commission responded to the most recent discussion on safeguarding international data flows in the wake of the invalidation of the EU-US Privacy Shield agreement with two implementing decisions on new standard contractual clauses. These new SCCs are intended to close the gaps in data protection law that have been identified to date. In particular, the far-reaching powers of national security authorities not permitted under the General Data Protection Regulation, for example in the USA or the UK, are to be countered with contractually agreed security measures.
The European Commission published two templates for standard contractual clauses. Firstly, standard contractual clauses for data transfers between controllers and processors. These can be used as a model contract for a processing agreement pursuant to Art. 28 GDPR. On the other hand, standard contractual clauses for the transfer of personal data to third countries, which replace the previous SCC for third country transfers. The new SCCs may and shall be used for the purposes of data transfers to third countries as of June 27, 2021.
The modular structure and the specification of the additional organizational and technical measures in the annex to the agreement are decisive for the implementation of the new SCC. Before data processing begins, it must be determined which modules are relevant (more than one is possible) and which measures are used to address the risk of data processing. It is important to document the decision-making process in order to be able to provide evidence of the risk assessment.
With the modular structure, all possible transfer constellations can now be mapped:
– Controller-to-controller (responsible party to responsible party),
– Controller-to-Processor (controller to processor),
– New: Processor-to-Processor (processor to processor),
– New: Processor-to-Controller (processor to controller).
Contractual important additions in the SCC are:
– Unlimited fault-based liability for data protection violations.
– Additional provisions to protect data from access by foreign authorities
– Conduct of a Transfer Impact Assessment (TIA) to assess the risk of data transfers to insecure third countries.
– Parties must provide notice of access attempts by foreign authorities
– Expanded annex on technical and organizational measures
With regard to the extended security measures, additional measures to guarantee the rights of the data subjects must be agreed among the parties. For example, measures for data minimization, data quality, storage limitation and accountability must be specifically named. In Annex II of the SCC, such measures are described in abstract terms and require the parties to specify them in concrete terms.
Under the GDPR, the new SCCs must be used in new contracts starting September 28, 2021. (Old version) SCCs signed by September 27, 2021 must be superseded by December 27, 2022. Therefore, anyone who still wants to use old SCCs must have done so by September 27, 2021. For controllers and processors already using existing standard contractual clauses, a transition period of 18 months is provided. Those who are about to enter into new data protection contracts with third-country service providers and controllers should not continue with the previous SCCs.
Unfortunately, a free pass for third country transfers is not provided by the new SCCs. The European Data Protection Board makes it clear in its final recommendations of 18.06.2021 for the data protection-compliant design of third-country transfers that a transfer to the USA cannot be presented as permissible without further technical safeguards.