Standard contractual clauses
If a company wishes to transfer personal data to a so-called third country outside the European Union or the European Economic Area, a data protection guarantee for the data transfer is required in addition to the legal basis for the data processing. In the absence of an adequacy decision by the EU Commission, the EU standard contractual clauses, also known as standard data protection clauses of the EU Commission ("SCC" for Standard Contractual Clauses), have therefore been used for years. These documents, which are now 25 years old, have now been updated.
This article is intended to answer the questions that have arisen in this context and thus provide assistance in using the new clauses in compliance with data protection regulations.
Please contact us if you have any further questions or require assistance with the necessary adjustments.
When does my company need SCC?
As soon as a company, either in the role of controller and/or processor, transfers personal data to a so-called "third country", appropriate safeguards for the protection of this data are required in accordance with Art. 44 et seq. GDPR, appropriate safeguards for the protection of this data are required to ensure that the level of protection for the data of natural persons guaranteed by the GDPR is not undermined.
If there is no adequacy decision by the EU Commission for the third country, the SCCs will usually be an essential building block for this.
As the so-called Schrems II judgment of the European Court of Justice (judgment of 16.07.2020, case C 311/18) has made clear, the guarantees listed in Art. 44 et seq. GDPR are not sufficient on their own. Rather, the data protection situation in the recipient country must be examined and it must be determined which further technical and organizational measures (encryption, anonymization, pseudonymization) are additionally required for the respective case.
One possible outcome of such a risk assessment may also be the decision not to carry out the planned data transfer and to find a European solution instead.
How do the new SCCs differ from the old ones?
The previous standard contractual clauses date back to 1996. The new SCCs have now been adapted to the wording and requirements of the GDPR.
The new SCCs have a modular structure and offer significantly more individual customization options, but also more work before they can be used for the respective data transfer. Whereas with the previous SCCs, the customization work usually ended once the details of the two contracting parties had been filled in, with the new SCCs the actual drafting of the contract clauses only begins at this point.
In the new SCCs, for the first time other institutions can join a contract concluded on the basis of the standard contractual clauses as data importers or exporters.
Previously, there were no clauses for the "processor and sub-processor" constellation. The new standard contractual clauses have a modular structure and can therefore be applied to a larger number of contracts than before and also include contracts at the subcontractor level.
If service providers process data on the instructions of a company, this constitutes order processing within the meaning of the GDPR. In such cases, a so-called data processing agreement ("DPA" for short) must be concluded. The new standard contractual clauses now also meet the requirements for a data processing agreement. This means that if a contract is concluded on the basis of the standard contractual clauses, the conclusion of an additional data processing agreement is no longer mandatory.
In particular, clauses 14 and 15 of the new SCC contain special security measures that correspond to some of the additions already proposed by data protection authorities and the European Data Protection Board ("EDPB") to the old standard contractual clauses in order to meet the requirements of the Schrems II ruling.
Fortunately, the new SCCs now stipulate that these take precedence and supersede any conflicting contractual or general terms and conditions clauses (Section I Clause 5).
In Section II, Chapter 12 contains modular liability clauses and (together with the provision on the primacy of the SCC) generally stipulates that the liability of the contracting parties is not limited, for example, by external exclusions of liability in the GTC.
In Section IV (Clauses 17 & 18), the contracting parties can now specify the application of a particular national law and the place of jurisdiction (within the EU). For example, the validity of German law can be specified even though the standard contractual clauses are concluded by a subsidiary in Italy.
With regard to the current discussions on data transfers to the USA or other third countries, the data importer undertakes in clause 15, among other things, to do so:
- To make every effort to lift the ban on notifying the data exporter / data subject. The aim should be to provide as much information as possible and as quickly as possible. The data importer therefore undertakes to document the efforts it has made in order to be able to provide evidence of them at the request of the data exporter.
- To review the legality of the request for disclosure, in particular whether the request is within the scope of the powers conferred on the requesting authority, and to challenge the request if, after careful assessment, he concludes that there are reasonable grounds to believe that the request is unlawful under the laws of the country of destination, in accordance with applicable obligations under international law and the principles of "Völkercourtoisie" (these are acts, practices and rules observed in international relations between states because of their sovereignty based on friendship, neighborliness and mutual respect). Under the above conditions, the data importer may seek legal remedies. When contesting a request, the data importer shall obtain interim measures to suspend the effect of the request until the competent judicial authority has ruled on its merits. It shall only disclose the requested personal data if this is required under the applicable procedural rules.
This obligation can lead to considerable costs for the data importer (if corresponding disclosure decisions are actually made).
Both contracting parties undertake in clause 14 to have given due consideration to the following aspects in particular:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used, intended data onward transfers, the nature of the recipient, the purpose of the processing, the categories and format of the personal data transferred, the economic sector in which the transfer takes place, the location of the transferred data,
- the relevant laws and practices of the third country of destination in view of the specific circumstances of the transfer (including those requiring disclosure of data to public authorities or allowing access to such data by public authorities) and the applicable restrictions and safeguards,
- any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during the transfer and processing of personal data in the country of destination.
These three points must therefore be taken into account in particular for third country transfers as part of the risk assessment and considerations, and this must be documented.
Can I continue to use the old SCCs?
If you are currently in contract negotiations and a renegotiation of the new SCC would lead to delays, you can still use the old SCC until September 27, 2021. However, these would have to be replaced by the new SCCs by December 27, 2022 at the latest.
From September 27, 2021, the new SCCs must be used without exception.
How long can I use old SCCs?
The new standard contractual clauses must be taken into account for all newly concluded contracts from September 27, 2021. Until then, the old SCCs could still be used, but these would then have to be replaced by the new SCCs by December 27, 2022 at the latest.
I have a contract with old SCCs. Do I now have to replace these with the new SCCs?
Yes, the previous SCCs must be replaced by the new SCCs by December 27, 2022 at the latest. If the contract ends before this date, replacement is therefore not mandatory.
In the event of relevant changes to the contract, the data exporter should take advantage of this opportunity immediately and replace the existing SCCs with the new ones. For example, when subcontracting processing operations that are the subject of the contract to a subcontractor/processor.
When do I have to replace old SCCs with new ones?
For existing contracts, the replacement must take place within 18 months, i.e. by December 27, 2022 at the latest. If the corresponding contract or processing ends earlier, replacement is not mandatory.
What should I do if my contractual partner does not want to update the SCC?
In particular, if the cooperation and the associated data exchange with the contractual partner is to continue beyond December 27, 2022, the contractual partner should be informed of the legal risks (see point 3.9) and the specific reasons for the refusal should be inquired about.
After 25 years of good service, the old SCCs are no longer up to date and hardly able to meet the various contractual constellations in a current format and individuality. The new SCCs are better suited to the current challenges and support the contractual partners in the data protection-compliant design of third country transfers. Updating the SCC would therefore be in the interests of both parties.
If the contractual partner nevertheless refuses, it would make sense to re-evaluate the continuation of the contractual relationship, taking into account the additional risks for the company.
With whom must SCCs be concluded?
As soon as a data transfer to a country outside the EU/EEA is to take place, the new SCCs must be concluded between the respective parties.
The new SCCs provide for four different processing constellations (modules), which must be selected accordingly in the SCCs:
- Module One C2C Controller to Controller
Transfer from one controller (in the EU) to another controller (in a third country) - Module Two C2P Controller to Processor
Transfer from the controller (in the EU) to the processor (in the third country) - Module Three P2P Processor to Processor
Transfer from one processor (in the EU) to another (sub-) processor (in a third country) - Module Four P2C Processor to Controller
Transfer from a processor (in the EU) to the controller (in the third country)
Can I adapt or delete clauses in the SCC?
The new SCCs have a modular structure and must be individually adapted within the framework of the available modules.
With the exception of the selection of the relevant module or modules or the addition or updating of information in the annex, no further changes or deletions may be made.
However, the standard contractual clauses may be included in a more comprehensive contract (e.g. as an annex). Other clauses or additional safeguards may also be added, provided that they do not directly or indirectly contradict the other provisions of the SCC or restrict the fundamental rights or freedoms of the data subjects, such as the rights of data subjects (Art. 15-22 et seq. GDPR).
In which language do I have to use the new SCC?
The new version of the SCC is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en is available in all European languages and can be used accordingly. We recommend that you use the language version that you predominantly use in your communication with the respective contractual partner or the language in which you have created the other contractual documents.
If you want to use two language versions in parallel (e.g. English for your contractual partner in the UK and German for your copy), it makes sense to specify which of the two documents takes precedence in any discussions regarding interpretation.
Do I have to hand over the new SCCs to the persons concerned?
As before, Art. 13(1)(f) GDPR requires that the data subject be provided with "a reference to the appropriate or suitable safeguards and how to obtain a copy of them or where they are available". For example:
In cases where data is transferred outside the EU, we have concluded corresponding EU standard contractual clauses. You can request a copy of these clauses by sending an email to SCC-Kopie@unternehmen.de or you can find them on our website at www.unternehmen.de/scc.
Can I now use the new SCC to transfer personal data to third countries such as the USA without further measures? Can I do without additional protective measures?
No. As part of a mandatory risk assessment, the data protection situation in the recipient country must be evaluated and suitable protective measures must be defined on this basis, or the data processing may not take place in principle, including in the opinion of the Chair of the Data Protection Conference.
What risk does my company face if I do without the SCC or use it incorrectly?
In addition to the risk of warnings from interest groups and competitors (competition law) and reputational damage in the event of media coverage of non-compliant data processing, there is a particular risk of sanctions by the competent data protection supervisory authority.
The possible sanctions (Art. 58 GDPR) include
- the possibility of carrying out investigations in the form of data protection audits,
- to issue a warning,
- to instruct the controller to bring processing operations into compliance with legal requirements in a specified manner and within a specified period of time,
- order the suspension of the transfer of data to a recipient in a third country or to an international organization,
- to impose a temporary or definitive restriction on processing, including a ban, and/or
- impose a fine of up to EUR 20,000,000 or, in the case of a company or group of companies, up to 4 % of its total worldwide annual turnover in the previous financial year, whichever is higher, for infringements of the provisions regarding the transfer of personal data to a recipient in a third country or to an international organization (Articles 44 to 49 GDPR).
When selecting a sanction, the supervisory authority will certainly also take into account whether efforts have been made to use the SCC correctly or whether the SCC has been dispensed with altogether despite an obvious requirement.