Transferring personal data outside the EEA? The impact of the new standard contractual clauses in brief
5 min read
Author: Jackie Mallia
If you are required to transfer personal data outside the EEA, you will be aware of the European Commission’s standard contractual clauses for controller to controller (C2C), and controller to processor (C2P) transfers. On 4th June 2021, the European Commission released its highly anticipated new standard contractual clauses (‘SCCs’) for the transfer of personal data to third countries, which entered into effect on 27th June 2021. The new SCCs consider international processing scenarios and address different processing scenarios which could entail multiple data importers and exporters.
The new SCCs have been a long time coming, especially following the coming into force of the GDPR (since the old SCCs were designed for pre-GDPR data protection regulation), and even more so following the landmark Schrems II decision of July 2020, which was called into question the reliability of the old SCCs as a data transfer mechanism. The new SCCs also line up with the EDPB Recommendations 1/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (version 2.0, June 18, 2021).
The Modular Approach to Transfer Personal Data
The new SCCs adopt a modular approach based on the following four scenarios:
- Module 1: From a controller to another controller (C2C);
- Module 2: From a controller to a processor (C2P);
- Module 3: From a processor to a processor (P2P);
- Module 4: From a processor to its appointing controller (P2C).
All four sets of clauses are effectively consolidated into one document, allowing controllers and processors to select the relevant module which is applicable to their particular transfer scenario. It should be noted that the old SCCs did not cater for P2P or P2C data transfers – this is a welcome addition since prior to this, data exporting parties had limited means in achieving compliance through the old SCCs in these circumstances.
Non-EU established Personal Data Exporters
The old SCCs required the data exporter to be established in the EEA, in order to be available as a valid data transfer mechanism. This matter has been resolved with the recent amendments, as the new SCCs can be used for transferring personal data from a data exporter not based in the EEA to a data importer also not based in the EEA, such as from a processor to a sub-processor, provided that the data exporter’s activity is regulated by the GDPR.
The revised SCCs reflect the widespread practice in the market, as they enable multi-party use, meaning more than two parties are allowed to contract and adhere to the SCCs. It also includes a “docking” clause, allowing additional controllers and processors to accede to the clauses throughout their term.
Schrems II Judgement Considerations:
In consideration of the Schrems II judgement, the new SCCs require a documented data transfer risk assessment: both the data exporter and importer must confirm that they have assessed the laws in the recipient country and accordingly have no reason to believe that such laws would prevent the data importer from fulfilling its obligations under the SCCs. The assessment should take into account matters such as (but not limited to) the length of the processing chain, the number of actors involved and the transmission channels used, intended onward transfers, the type of recipients, the purpose of processing, the categories and format of the transferred personal data and the sector. The assessment must be made available to the competent supervisory authority upon request. Furthermore, the data importer must notify the data exporter and the data subject if it receives a request from a public authority for disclosure of the transferred personal data or in the event of any access by public authorities to transferred personal data. The data importer is also required to challenge the legality of the request.
Here are some important dates to keep in mind:
- Data exporters and importers can continue using the existing SCCs until 27th September 2021. After this date, no new contracts can be executed under the ‘old’` standard contractual clauses.
- The transitory period to convert any existing agreement from the old SCCs to the new SCCs is 18 months, meaning that data exporters and importers have until 27 December 2022 to complete this exercise. After this date contracts still based on the old SCCs will no longer be considered as providing appropriate safeguards under the GDPR.
How should you go about these amendments?
The new SCCs will require organisations to dedicate some substantial effort to assessing cross-border transfer chains. The following assessments should be considered by organisations in relation to any current relationships governed by the old SCCs:
- which data transfers fall under the SCCs, and which jurisdictions are relevant;
- how the new SCCs should be implemented and which of the modules should apply;
- an assessment of the new SCCs and any conflicts with other provisions under contracts of which the old SCCs formed part.