New Standard Contractual Clauses: An Overview

International transfers of personal data have been a hot topic for a long time now in Europe – and rightly so. The downside of being the “reference point for data protection laws” is that other jurisdictions do not accord the same level of protection to personal data as the European Union does. After a lengthy process involving recommendations from the European Data Protection Board and the European Data Protection Supervisor, the European Commission finally adopted updated Standard Contractual Clauses which already started to apply to new deals from 27th September 2021.

As we have one month of experience behind us under the new regime, in our recent article, we set out the contractual changes to your international transfers and so now we set out the contents of the new SCCs, what you need to know about drafting the SCCS, what has changed and tips on how to manage the rights and obligations of controllers and processors.

What do the new SCCs contain? 

As mentioned in our recent article, there are two new sets of SCCs. One set covers international personal data transfers (the Transfer SCCs), which replace the three old sets of SCCs (the Old SCCs), and the other set is a new creation to manage the rights and obligations of controllers and processors. 

Transfer SCCs:

Whereas the old SCCs were split up into separate agreements based on the types of transfer and the transfer roles, the new Transfer SCCs encompass numerous types of processing roles to cover all personal data transfers to third countries.

This has been done by adopting a modular approach. The SCCs have four different “modules” for the following processing relationships (for a reminder of how the processing roles work, please check out our previous article here):

1.     Module 1: Controller-to-controller transfers (C2C);

2.     Module 2: Controller-to-processor transfers (C2P); 

3.     Module 3: Processor-to-processor transfers (P2P); and 

4.     Module 4: Processor-to-controller transfers (P2C).

Accordingly, you can now cover multiple scenarios through the same model clauses, by including the clauses specific to the module that applies to your specific personal data transfer. 

Other changes include:

• Inclusion of a Docking clause

In what has been seen as a welcome addition, more than two parties can sign up to the same SCCs through the introduction of a new docking clause at clause 7 of the Transfer SCCs. This optional clause allows additional parties to accede to the same SCCs without having to draft and negotiate new contractual documentation each time. If you need flexibility, do think about keeping this clause in.

• Assessment of local laws 

Section III of the new SCCs introduces new requirements on the parties to assess the local laws of the importing country, such that by entering into the SCCs, the parties are able to warrant that the laws of the importing country do not prevent the data importer from fulfilling its obligations under the SCCs – namely, to be GDPR-compliant. 

In providing such a warranty, the parties need to assess each data transfer on a case-by-case basis, including assessing:

1.     the specific circumstances of the transfer – including length of the processing chain, number of actors involved, transmission channels, onward transfers, type of recipient, purpose, categories of data, format of data, the economic sector in which the transfer occurs and the storage location;

2.     the laws and practices of the third country destination – including requirements for data disclosure or access authorisation to public authorities, in light of the elements assessed in point 1 above, and the applicable limitations and safeguards assessed in point 3 below; 

3.     the technical and organizational measures in place – including any measures applied during transmission and during the processing in the importing country. 

This assessment needs to be documented by the parties, and if asked by supervisory authority, this document needs to be made available to show compliance with Section III of the SCCs. In this way, gone are the days of mindlessly signing the SCCs and never actually looking at them or assessing what they mean. Entities transferring or receiving EEA data no need to be more proactive in ensuring that the transferred personal data is indeed protected according to GDPR standards at all times. For example, this requirement to assess local laws is an ongoing requirement. If in the future, the data importer believes that the laws have changed in such a way that there is too high a risk, they must inform the data exporter of this immediately (Section III, Clause 14(e)). 

This may sound particularly onerous – as it is indeed a big step up from the old regime - however, there is some comfort for data importers and exporters in the European Data Protection Board’s (the EDPB) Recommendations on the use of these new SCCs. The EDPB confirmed that in the course of conducting such an assessment, the parties may take into account the practical experience of the data importer in dealing with public authority access requests. Parties may also consider previous case law or reports by independent bodies on data disclosure and access requests in the past, and the patterns seen in the particular sector. A simple document provided alongside the SCCs should be sufficient - parties should avoid ensuring this document is contractual to allow for flexibility as practices and processes evolve.

• Responding to data disclosure and access requests

The new SCCs also set out obligations on the data importer in the case of any data disclosure or data access requests from public authorities or the government in the third country. An example of this would be a US data importer receiving a request to disclose EEA personal data under FISA. Clause 15 covers the data importer’s obligations in this scenario, including: 

i.               notification to the exporter, and where possible, the data subject;

ii.              attempt to obtain a waiver of any prohibition to notify, using its best efforts to do so;

iii.             provide as much information as possible to the data exporter, including keeping records; 

iv.             reviewing the legality of the request, and where possible, challenging it to ensure EEA personal data is not disclosed or accessed; and

v.              where personal data must be disclosed, ensuring minimisation of the data.

• Technical and organisational measures 

Whilst including the security measures related to the transfer is not novel requirement, under the new SCCs, this requirement is enhanced. The parties must now set out the relevant safeguards in more detail at Annex II, and these should form a part of the transfer impact assessment described above. These technical and organisational measures also need to be reviewed and monitored on an ongoing basis. 

• Data subjects as third-party beneficiaries and liability for supply chains

The new SCCs accords data subjects whose personal data is covered by the relevant SCCs third party beneficiary rights, which means that data subjects could also enforce its terms, in addition to the contracting parties and supervisory authorities. Additionally, all parties in the data supply chain are jointly and severally liable under the SCCs and breach of the GDPR. This will mean that you will have to separately set out any liability or indemnity provisions to protect your business. 

• Compliance with Article 28 GDPR

These new SCCs have been drafted to cover any C2P obligations under the GDPR, such that controllers and processors are no longer obliged to enter into separate contractual arrangements to cover such processing. 

Article 28 Clauses: 

The European Commission has also created an additional set out model clauses to cover the Article 28 requirements between controllers and processors. These are optional and are in no way a requirement, for example, if you have already entered into a separate Data Processing Agreement. 

However, since these Article 28 Clauses have been given the seal of approval from the European Commission, they could be a good option for parties who do not wish to negotiate a separate Data Processing Agreement. 

These Article 28 Clauses can be used to confirm information such as the subject matter and duration of the processing, categories of personal data, etc. 

These Article 28 Clauses have been drafted by the European Commission pursuant to the option provided in Article 28(7) of the GDPR, which is also provided to supervisory authorities in Article 28(8). As such, these are not the only model clauses out there for controllers and processors, however, they are considered the best option given they have been drafted by the Commission and have been reviewed by the EDPB. 

Final comments: 

As international personal data transfers are the bread and butter of many industries today, it is important to stay on top of your compliance requirements and ensure you migrate to the new regime as soon as possible, and in any case, no later than the end of 2022. 

Here at Gerrish Legal, we are in the process of creating a new automation tool to help you with such SCCs and other agreements – so keep an eye on our page for this! 

In the meantime, if you have any questions, please do not hesitate to contact us!