On June 4th, 2021 the European Commission announced the adoption of the long-awaited revised Standard Contractual Clauses (SCCs). Sometimes called model contract clauses.
The model clauses are intended to facilitate cross-border transfers of personal data between entities within the European Union (EU), Norway, Iceland, and Liechtenstein, to entities in other countries.
In addition to the SCCs for international transfers, the Commission has also adopted model clauses that can be used as part of a data processing agreement with an EU entity, as required under Article 28 GDPR.
International Transfer Standard Contractual Clauses: Scope & Content
The new SCCs intended for international transfers are based on four scenarios:
- Module 1 controller-to-controller;
- Module 2 controller-to-processor;
- Module 3 processor-to-sub-processor; and
- Module 4 processor-to-controller.
In addition, the standard contractual clauses contain a docking clause, allowing parties that are joining the processing operation to be part of the same contract, instead of signing a whole range of individual agreements with organizations.
This could be useful if multiple legal entities of a controller or processor need to be part of the contract.
By using the SCCs, organizations can ensure that their data transfers meet the basic requirements of the EU’s GDPR and that the necessary “appropriate safeguards” are in place.
This includes requirements on transparency towards the data subject, as well as provisions on dealing with individual rights and regulator requests.
The “regulator” refers to one of the European data protection authorities (DPAs). The clauses must stipulate which of the DPAs will be responsible to oversee a particular data transfer.
The SCCs furthermore deal with the key data protection principles of the GDPR, including data minimization, data security, and accountability.
These new standard contractual clauses retain the annex requirement that needs to be completed for the SCCs to be valid.
The annex includes an overview of the parties involved, an extensive description of the transfer, and a list of the technical and organizational security measures that have been implemented.
Finally, the SCCs must include an overview of the subprocessors involved in a processing operation.
The new SCCs have embraced an accountability approach for both the data exporters and the data importers.
Both should properly document their compliance assessments. And be ready to make that documentation available to the DPA upon request.
SCC’s Scope of Application
Organizations that have contracts in place using SCCs, or are looking to use SCCs in the future, should first confirm if they are allowed to do so.
One of the major changes compared to the old standard contractual clauses is the scope of application.
Based on the Commission Decision, the SCCs can only be applied for situations where the recipient’s organization (the data importer) would not be directly subject to the GDPR for the processing operation at hand.
If an organization is offering goods or services, or is monitoring the behavior of individuals in the EEA (European Economic Area), the SCCs cannot be invoked.
The data processing operation would already be subject to all the rules of the GDPR. In this situation, an onward transfer to a processor of the data importer should be covered by SCCs.
Post-Schrems-II Requirements are Reflected in the Standard Contractual Clauses
The new standard contractual clauses bring the model clauses in line with the GDPR and include a section dedicated to the mandatory data transfer risk assessment.
The Schrems-II ruling confirmed that even if using appropriate safeguards like SCCs, organizations should always assess if the recipient of the data in the third country would be able to comply with all the requirements of the GDPR.
Organizations need to conduct a data transfer risk assessment specifically when taking into account government surveillance and access laws.
The outcomes of this assessment are used by organizations to comply with Clause 2 of the SCCs: Local Laws Affecting Compliance with the Clauses. Always document the data transfer risk assessment.
Where legislation exists that may interfere with the fundamental rights and freedoms of the individuals whose personal data are transferred, supplementary measures will need to be put in place.
These can be of a legal, operational, or technical nature, as was also explained in the (draft) guidance from the European Data Protection Board.
Be aware that the new standard contractual clauses are not as fool-proof of a transfer mechanism as they were in the past.
After doing an assessment of the third country in scope, the conclusion may be that no measures would suffice to properly protect personal data against the risk of government interference.
If so, the data transfer cannot take place in any case, not without a conversation with the DPA appropriate for the organization.
The Standard Contractual Clauses and the UK
Please do keep in mind that the United Kingdom (UK) is no longer a part of the EU. However, in June 2021, the UK adopted two decisions for personal data under the GDPR and under the Law Enforcement Directive.
In addition, the UK still applies the GDPR in full, having adopted the UK GDPR as part of their national legislation with the same provisions as the EU GDPR.
Data transfers to and from the EU/EEA and to and from the UK will require data transfer mechanisms to be put in place.
In August 2021, the UK Information Commissioner’s Office (ICO) opened a consultation on transfer mechanisms – including an International Data Transfer Agreement, a Transfer Risk Assessment, and an addendum to be used with the EU SCCs.
These documents are adopted and in force as of March 21, 2022.
Complications with Standard Contractual Clauses for Non-EU Controllers
The complex element here is the cross-border transfers.
The new SCCs indicated that non-EU controllers whose processes were directly subject to the GDPR did not need to use SCCs for cross-border transfers.
Soon thereafter, the European Data Protection Board issued guidance nullifying that premise.
There is tension between Article 3 of the GDPR (territorial scope) and Chapter V on transfers of personal data to third countries.
The European Commission has indicated it will develop additional modules to manage this interpretation.
While waiting for a new potential agreement between the EU and US, some entities choose to use the existing new SCCs.
Transitioning to EU Standard Contractual Clauses
The international transfers standard contractual clauses entered into force in June 2021.
From that moment on, organizations had three months to conclude any pending negotiations based on the old SCCs, if they chose to use those.
That means that by late September 2021, any new contracts dealing with international transfers needed to use the new SCCs.
All contracts must be transitioned to the new SCCs by 27 December 2022.
Need Help with New Standard Contractual Clauses?
TrustArc can help you understand your data transfer risk and identify your high risk data processing activities.
Additionally, our Privacy Management Platform can help you properly document your business processes, the underlying compliance policies and procedures, as well as the details of your transfer risk assessments.