One does not simply transfer personal data outside the European Economic Area …
EUROPEAN COMMISSION ADOPTS NEW STANDARD CONTRACTUAL CLAUSES FOR THE TRANSFER OF PERSONNAL DATA TO THIRD COUNTRIES
You have a contract with a client or a subcontractor located outside the European Economic Area (EEA) which requires you to transfer them personal data (or in another way make data available to them outside the EEA)?
Your company itself has subsidiaries located outside the EEA or is a daughter company of a company located outside the EEA?
You might want to check that you comply with the provisions of the GDPR regarding the transfer of personal data to third countries (art. 44 and following).
One of the tools that can be used to comply with these rules is the adoption of so-called “Standard Contractual Clauses” (hereafter SCCs), of which a brand-new set has just been adopted.
The key dates surrounding this new set of rules
On June 4, 2021, the European Commission has adopted the new set of Standard Contractual Clauses (after a joint opinion of the EDPB and the EDPS in January 2021).
These rules will come into effect on June 27, 2021.
The transitional period is as follow:
- The ‘old’ SCCs can continue to be used for new contracts for a transitional period of 3 months, ie until September 27, 2021;
- For existing contracts, the transitional period is of 18 months, meaning you will have to make the transition at the latest on December 27, 2022;
- However, for new data transfers occurring after September 27, 2021, ie if the operation of transfer of data occurring under a contract subject to the old SCCs changes, the transition to the new rules will have to be made at the latest at the time the new transfer occurs.
The aftermath of Schrems II – Risk assessment and warranties
The Commission’s response to Schrems II Decision of the Court of Justice of the EU and the consecutive European Data Protection Board’s draft Recommendations, consists in requiring the parties to “warrant that they have no reason to believe that the [laws of the territory of the data importer] prevent the data importer from fulfilling its obligations under these Clauses”(Clause 14).
This is not a warranty that may easily be granted by the parties, as the SCCs further require the parties to carry out a real and thorough risk assessment taking into account the specific circumstances of the transfer (storage location, number of actors concerned, type of processing and type of recipient, etc.), the laws and practices of the third country of destination (in particular of those requiring disclosure of data to public authorities), and of the relevant contractual, technical and organisational safeguards that can be applied to mitigate the risks identified.
One last striking feature is that this assessment must be documented and made available to the competent authorities upon request.
One set to rule them all – Modular approach
One the features of these new clauses, is that there is only one set of rules with different modules to apply on different situations – transfer controller to controller, controller to processor, etc. – depending on the transfer that takes place (instead of a different set of rules for each situation).
Another new feature in that regard, is that situation of transfer from a processor inside the EEA to a controller or processor located outside the EEA is now covered, so this set covers in fact all possible configurations.
Multipartite and docking clauses
The new SSCs also allow for multiple parties to contract together under the SCCs (as opposed to the old SCCs which only were designed as bipartite agreements), and even allow for new parties to join-in over time (under clause 7 – the ‘docking’ clause).
There are still other features of these new clauses to be examined, such as a new hierarchy clause (meaning for example that the liability clause of the SCCs may prevail over a contractual one).
What is certain is that these new “standard”contractual clauses are certainly not a simple form that you can sign to be compliant but require a thorough analysis of the transfer of data to implement.
Please do not hesitate to contact us should you require further information, advice and/or assistance on the issues discussed in this note, or any other data protection and privacy-related matter.