Standard contractual clauses in the EU for third country transfers

Standard contractual clauses
Categories:

Standard contractual clauses

 

If a company wants to personal data to a so-called third country outside the European Union or the European Economic Area, a data protection guarantee for the data transfer is required in addition to the legal basis for the data processing. If there is no Appropriateness decision The EU standard contractual clauses, also known as the EU Commission's standard data protection clauses ("SCC" for Standard Contractual Clauses), have therefore been used for years. These documents, which are now 25 years old, have now been updated.

This article is intended to answer the questions that have arisen in this context and thus provide assistance in using the new clauses in compliance with data protection regulations.

Please contact us if you have any further questions or require assistance with the necessary adjustments.

 

 

When does my company need SCC?

 

As soon as a company, either in the role of controller and/or processor personal data are transferred to a so-called "third country" pursuant to Art. 44 et seq. GDPR Suitable guarantees necessary to protect this data in order to ensure that the level of protection of natural persons' data guaranteed by the GDPR is not undermined.

If the third country has no Appropriateness decision Commission, the SCCs will usually be a key building block for this.

How the so-called Schrems II judgment of the European Court of Justice (judgment of 16.07.2020, case C 311/18), the guarantees listed in Art. 44 et seq. GDPR are not sufficient on their own. Rather, the data protection situation in the recipient country must be examined and it must be determined which further technical and organizational measures (Encryption, Anonymization, Pseudonymization) are additionally required for the respective case.

One possible outcome of such a risk assessment may also be the decision not to carry out the planned data transfer and to find a European solution instead.

 

 

How do the new SCCs differ from the old ones?

 

The previous Standard contractual clauses The new SCCs have now been adapted to the wording and requirements of the GDPR.

The new SCCs have a modular structure and offer significantly more individual customization options, but also more work before they can be used for the respective data transfer. Whereas with the previous SCCs, the customization work usually ended once the details of the two contracting parties had been filled in, with the new SCCs the actual drafting of the contract clauses only begins at this point.

In the new SCCs, other institutions can for the first time be assigned to a Standard contractual clauses The data importers and exporters can join the contract as data importers or exporters.

Previously, there were no clauses for the "processor and sub-processor" constellation. The new Standard contractual clauses are modular in structure and can therefore be applied to a larger number of contracts than before and also include contracts at the subcontracting level.

If service providers process data on the instructions of a company, this constitutes a Order processing within the meaning of the GDPR. In such cases, a so-called order processing contract (AVV for short) must be concluded. The new Standard contractual clauses now also meet the requirements for a data processing agreement. This means that if a contract based on the Standard contractual clauses is concluded, the conclusion of an additional data processing agreement is no longer mandatory.

In particular, clauses 14 and 15 of the new SCC contain specific security measures that correspond to some of the additions already made by data protection authorities and the European Data Protection Board ("EDPB") to the old SCC. Standard contractual clauses were proposed in order to meet the requirements of the Schrems II judgment.

Fortunately, the new SCCs now stipulate that these take precedence and supersede any conflicting contractual or general terms and conditions clauses (Section I Clause 5).

In Section II, Chapter 12 contains modular liability clauses and stipulates (together with the provision on the priority of the SCC) in principle that the Liability of the contracting parties is not restricted, for example, by external exclusions of liability in general terms and conditions.

In Section IV (Clauses 17 & 18), the contracting parties can now determine the validity of a specific national law and the place of jurisdiction (within the EU). For example, the validity of German law can be specified, although the Standard contractual clauses be closed by a subsidiary in Italy.

With regard to the current discussions on data transfers to the USA or other third countries, the data importer undertakes in clause 15, among other things, to do so:

  • To make every effort to lift the ban on notifying the data exporter / data subject. The aim should be to provide as much information as possible and as quickly as possible. The data importer therefore undertakes to document the efforts it has made in order to be able to provide evidence of them at the request of the data exporter.
  • To review the legality of the request for disclosure, in particular whether the request is within the scope of the powers conferred on the requesting authority, and to challenge the request if, after careful assessment, he concludes that there are reasonable grounds to believe that the request is unlawful under the laws of the country of destination, in accordance with applicable obligations under international law and the principles of "Völkercourtoisie" (these are acts, practices and rules observed in international relations between states because of their sovereignty based on friendship, neighborliness and mutual respect). Under the above conditions, the data importer may seek legal remedies. When challenging a request, the data importer shall obtain interim measures to suspend the effect of the request until the competent judicial authority has ruled on its merits. It shall only disclose the requested personal data if this is required under the applicable procedural rules.

This obligation can lead to considerable costs for the data importer (if corresponding disclosure decisions are actually made).

Both contracting parties undertake in clause 14 to have given due consideration to the following aspects in particular:

  • the special circumstances of the Transmissionincluding the length of the processing chain, the number of actors involved and the transmission channels used, intended data onward transfers, the type of recipient, the purpose of the Processingthe categories and format of the personal data transmitted, the economic sector in which the transmission takes place, the storage location of the transmitted data,
  • which, in view of the special circumstances of the Transmission relevant laws and practices of the third country of destination (including those requiring disclosure of data to public authorities or permitting access by public authorities to such data) and the applicable restrictions and safeguards,
  • any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures implemented during the Transmission and with the Processing personal data in the country of destination.

These three points must therefore be taken into account in particular for third country transfers as part of the risk assessment and considerations, and this must be documented.

 

 

Can I continue to use the old SCCs?

If you are currently in contract negotiations and a renegotiation of the new SCC would lead to delays, you can still use the old SCC until September 27, 2021. However, these would have to be replaced by the new SCCs by December 27, 2022 at the latest.

From September 27, 2021, the new SCCs must be used without exception.

 

 

How long can I use old SCCs?

 

For all new contracts concluded from September 27, 2021 onwards, the new Standard contractual clauses be taken into account. Until then, the old SCCs could still be used, but these would then have to be replaced by the new SCCs by December 27, 2022 at the latest.

 

I have a contract with old SCCs. Do I now have to replace these with the new SCCs?

 

Yes, the previous SCCs must be replaced by the new SCCs by December 27, 2022 at the latest. If the contract ends before this date, replacement is therefore not mandatory.
In the event of relevant changes to the contract, the data exporter should take advantage of this opportunity immediately and replace the existing SCCs with the new ones. For example, when subcontracting processing operations that are the subject of the contract to a subcontractor/processor.

 

 

When do I have to replace old SCCs with new ones?

 

For existing contracts, the replacement must take place within 18 months, i.e. by December 27, 2022 at the latest. If the corresponding contract or the Processing This means that it is not absolutely necessary to replace them.

 

 

What should I do if my contractual partner does not want to update the SCC?

 

In particular, if the cooperation and the associated data exchange with the contractual partner is to continue beyond December 27, 2022, the contractual partner should be informed of the legal risks (see point 3.9) and the specific reasons for the refusal should be inquired about.

After 25 years of good service, the old SCCs are no longer up to date and are barely able to meet the various contractual constellations in a current format and individuality. The new SCCs are better suited to the current challenges and support the contractual partners in the data protection-compliant design of third country transfers. Updating the SCC would therefore be in the interests of both parties.

If the contractual partner nevertheless refuses, it would make sense to re-evaluate the continuation of the contractual relationship, taking into account the additional risks for the company.

 

 

With whom must SCCs be concluded?

 

As soon as a data transfer to a country outside the EU/EEA is to take place, the new SCCs must be concluded between the respective parties.

The new SCCs provide for four different processing constellations (modules), which must be selected accordingly in the SCCs:

  • Module One C2C Controller to Controller
    Transmission from one controller (in the EU) to another controller (in a third country)
  • Module Two C2P Controller to Processor
    Transmission from the controller (in the EU) to the processor (in the third country)
  • Module Three P2P Processor to Processor
    Transmission from one processor (in the EU) to another (sub-) processor (in the third country)
  • Module Four P2C Processor to Controller
    Transmission from a processor (in the EU) to the controller (in the third country)

Can I adapt or delete clauses in the SCC?

 

The new SCCs have a modular structure and must be individually adapted within the framework of the available modules.

With the exception of the selection of the relevant module or modules or the addition or updating of information in the annex, no further changes or deletions may be made.

But the Standard contractual clauses may be included in a more extensive contract (e.g. as an annex). Further clauses or additional guarantees may also be added, provided that they are neither directly nor indirectly included in the contract. Contradiction are contrary to the other provisions of the SCC or restrict the fundamental rights or freedoms of the data subjects, such as the Rights of data subjects (Art. 15-22 ff. GDPR).

 

 

In which language do I have to use the new SCC?

 

The new version of the SCC is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en is available in all European languages and can be used accordingly. We recommend that you use the language version that you predominantly use in your communication with the respective contractual partner or the language in which you have created the other contractual documents.

If you want to use two language versions in parallel (e.g. English for your contractual partner in the UK and German for your copy), it makes sense to specify which of the two documents takes precedence in any discussions regarding interpretation.

 

 

Do I have to hand over the new SCCs to the persons concerned?

 

As before, Art. 13(1)(f) GDPR requires that the data subject be provided with "a reference to the appropriate or suitable safeguards and how to obtain a copy of them or where they are available". For example:

In the cases in which it comes to a Transmission data is processed outside the EU, we have concluded corresponding EU standard contractual clauses. You can request a copy of these clauses by sending an email to SCC-Kopie@unternehmen.de or you can find them on our website at www.unternehmen.de/scc.

 

 

Can I now use the new SCC to transfer personal data to third countries such as the USA without further measures? Can I do without additional protective measures?

 

No. As part of a mandatory risk assessment, the data protection situation in the recipient country must be evaluated and suitable protective measures must be defined on this basis, or data processing may, in the opinion of the Chairwoman of the Data Protection Committee, among others, be restricted. Data protection conferencedo not take place.

 

 

What risk does my company face if I do without the SCC or use it incorrectly?

 

In addition to the risk of Warning by interest groups and competitors (competition law) and reputational damage in the event of media coverage of non-compliant data processing, there is a particular risk of sanctions by the competent authorities. Supervisory authority in the Data protection.

The sanction options (Art. 58 GDPR) include

  • the possibility of carrying out investigations in the form of data protection audits,
  • to issue a warning,
  • to instruct the controller to bring processing operations into compliance with legal requirements in a specified manner and within a specified period of time,
  • the suspension of the Transmission of data to a recipient in a third country or to an international organization,
  • a temporary or permanent restriction of the Processingincluding a ban, and/or
  • in the event of violations of the provisions regarding the Transmission of personal data to a recipient in a third country or to an international organization (Articles 44 to 49 GDPR), a fine of up to EUR 20,000,000 or, in the case of a group of companies or groups of companies, up to 4 % of its total worldwide annual turnover in the preceding financial year, whichever is higher.

When selecting a sanction, the Supervisory authority certainly also take into account whether efforts have been made to use the SCC correctly or whether the SCC has been dispensed with altogether despite its obvious necessity.

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts