The GL Quick Guide to Completing the new EU SCCs
Standard Contractual Clauses (SCCs) were introduced by the European Commission (EC) to ensure controllers and processors of personal data are complying with the requirements of the European Union’s (EU) data protection legislation. They are “ready-made” and easy to use clauses that allow parties to easily comply with the legislation. Our article provides a detailed explanation on what constitutes SCCs. Despite SCCs being a voluntary tool, the European Commission can implement SCCs into relationships between controllers and processors and also for the transferring of data to countries outside of the European Economic Area (EEA).
Although the new SCCs were introduced in June 2021, a grace period was granted but parties must incorporate them in any deals of data transfers by 27 December 2022.
As a result of the updated obligations implemented under the General Data Protection Regulations and the results of the Schrems II case of the EU Court of Justice, the SCCs were updated to align with these evolutions. The EC noted that the update was required in order to keep up with “the realities of the modern digital economy”.
What has changed?
Our article, here, discusses the changes put in place by the update to the SCCs. In summary, some of the changes made include:
· Docking clause
· Assessment of local laws
· Responding to data disclosure and access requests
· Technical and organisational measures
· Data subjects as third-party beneficiaries and liability for supply chains
· Compliance with Article 28 GDPR.
In this article, we discuss the obligations required by parties involved in the processing of personal data of EU citizens, inside and outside of the EEA.
What are the different scenarios in which the SCCs apply?
The SCCs compose a series of general clauses that will be applicable in all commercial contracts, containing specific clauses applying to different situations. The parties to a contract can use one of the four modules, that will be the most adapted to their relationship (processor, controller or sub-processor) and their needs.
The EU Commission has provided 4 different scenarios:
- Module 1 applies to data transfers between a controller (the data exporter) and another controller (the data importer).
- Module 2 applies to data transfers between a controller (the data exporter) and a processor (the data importer).
- Module 3 applies to data transfers between a processor (the data exporter) and a sub-processor (the data importer).
- Module 4 apples to data transfers between a processor (the data exporter) and a controller (the data importer).
The last module should only be selected when a processor in the EEA is involved in a data transfer with a controller outside of the EEA. The processor either collects data in the EEA in the name of the controller or processes data received from the latter in the EEA.
It is worth noting that parties can apply several modules. This may occur when the parties have different roles for different transfers of personal data. In this case, they have to choose the appropriate module for each transfer.
How the relationship between controllers and processors works under the SCCs?
The GDPR allows national data protection authorities to draft SCCs for the relationship between controllers and processors (Article 28(8)). Conversely, the SCCs adopted by the Commission are binding for all data protection authorities within the European Economic Area (EEA). The validity of these SCCs can only be contested in front of the Court of Justice of the European Union (CJEU).
The processor must only process personal data from documented instructions given by the controller (Clause 7.1). Yet, the SCCs do not uphold the specific form for these instructions.
The processor has to provide the name(s) of the sub-processor(s) that are involved in the transfer. The parties can choose to go through either a prior specific authorisation or a general written authorisation. The processor needs to inform the controller in writing, within an agreed time period by both parties, of any intended changes on the list of sub-processors. The controller is able to object to these changes.
In case of a data breach, the processor needs to notify the controller “without undue delay” (Clause 9.2). No specific time period is required under the SCCs.
The processor can demonstrate compliance with the requirements of the SCCs by using an approved code of conduct or an approved certification mechanism.
The SCCs and upholding the GDPR requirements
The EU Commission has put in place SCCs to allow controllers or processors, that are subject to the GDPR, to transfer personal data to other controllers or processors outside the EEA (hence not subject to the GDPR).
EU data protection regulation extends to operations of controllers and processors outside the EEA because these actions have an impact on individuals that live within the EU. Therefore, the SCCs also apply to non-EEA controllers/processors which deal with non-EEA controllers/processors if processing personal data of EU citizens.
It is important to remember that SCCs do not apply to controllers/processors who are directly subject to the GDPR. Also, the SCCS are not adapted for data transfers to international organisations.
What are the obligations of data exporters and importers?
The data importer sometimes needs to share data received under the SCCs with another organisation outside its country of establishment. In this situation, the data importer must verify that adequate protection is in place. That data importer can ask a third party to join the SCCs or to agree on a separate contract that has a similar level protection as the one provided by the SCCs. Under the new SCCs, a docking clause can be implemented which allows parties to agree to adding an additional party to the agreement who is bound by the same terms. The additional party must fill out and sign the Annexes of the SCCs. The data importer will also have to disclose data under specific circumstances when the protection of vital interests of an individual is questioned or as part of a domestic administrative, regulatory or judicial proceeding. Outside these scenarios, the data importer needs to receive the express consent of concerned data subjects to transfer these to third parties.
The SCCs include two types of liabilities: liability of the parties towards data subjects and liability between the parties. This only apply for violations of the SCCs themselves. In the event of non-compliance with the data importer’s obligations, several options from Clause 16 are available for the data exporter:
- When the data importer breaches the Clauses or is unable to fulfil them, the data exporter can temporarily suspend the data transfer.
- In the most serious circumstances, the data exporter is authorised to terminate the parts of the contract that concern the processing of personal data under the SCCs.
The content of the SCCs will vary depending on the Module selected by the parties:
- The law applicable to the SCCs for Module 1, 2 and 3 will be the law that has to come from one of the EU Member States or EEA countries. Module 4 is the only scenario where the parties can choose the law of a non-EEA country.
- The competent data protection authority will be an EEA data protection authority for Module 1, 2 and 3. The data importer accepts to cooperate with that authority in any procedure related to the SCCs.
It is important to note that if the data exporter is established in the EEA, the designated authority must be the one competent to attest compliance by the exporter with the GDPR.
If the data exporter is not established in the EEA, but is directly subject to the GDPR, the competent authority will be either a representative or the data protection authority of an EEA country where the data subjects are located.
The parties must ensure the annexes are correctly filled out. The parties must indicate: their intention to apply the SCCs, the categories of personal data, the purposes of the transfer, the respective role of the parties, the competent supervisory authority, how is guaranteed data security for sensitive data.
If you think that your contractual agreements will need to be altered by 27 December 2022, please contact info@gerrishlegal.com!