The European Commission recently issued a question and answer document about the EU standard contractual clauses that were issued in 2021. This article briefly looks at some of the highlights.
What’s this all about?
Under the EU General Data Protection Regulation (EU GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a basis for data transfers from the EU to third countries. This includes so-called standard contractual clauses (“SCCs”), also often referred to as model clauses, that the European Commission may issue.
In the summer of 2021 the European Commission issued an updated set of SCCs under EU GDPR which replaced the previous sets of SCCs. Since 27 September 2021 it is no longer possible to conclude contracts incorporating these earlier sets of SCCs, but, until 27 December 2022, controllers and processors can continue to rely on those earlier SCCs for contracts that were concluded before 27 September 2021, provided that the processing operations that are the subject matter of the contract remain unchanged.
The European Commission has now issued a document entitled “The New Standard Contractual Clauses – Questions and Answers”, in effect a set of FAQs, to provide practical guidance on the use of the SCCs. According to the European Commission, this document is based on feedback received from various stakeholders on their experience with using the new SCCs in the first months after their adoption. The European Commission also says that the document is intended to be a “dynamic” source of information and will be updated as new questions arise.
What is in the FAQs?
Highlights of the FAQs include the following:
- Signature – The parties need to fill in the annexes to the SCCs and sign Annex I, which form an integral part of the clauses. The SCCs do not contain any requirements on how the signature should be formalised (e.g., whether it can be done electronically) – this is left to national (civil/contract) law governing the agreement;
- Modifications – The text of the SCCs may not be altered, except: (i) to select modules and/or specific options offered in the text; (ii) to complete the text where necessary (indicated by square brackets), e.g. to indicate the competent courts and supervisory authority, and to specify time periods; (iii) to fill in the Annexes; or, (iv) to add additional safeguards that increase the level of protection for the data. These adaptations are not considered as altering the core text;
- Additional Clauses – The parties may supplement the SCCs with additional clauses or incorporate them into a broader commercial contract, as long as the other contractual provisions do not contradict the SCCs, either directly or indirectly, or prejudice the rights of data subjects. Example: Clause 12(a) of the SCCs international data transfers specifically regulates the liability between the parties. The parties may not include a general exculpation from liability (i.e. covering also the clauses of the contract that incorporate the SCCs) in the commercial contract, as this would contradict this provision of the SCCs. In addition, it would likely prejudice the rights and freedoms of individuals, e.g. by reducing the incentive for the parties to ensure compliance with the SCCs. When relying on SCCs, the parties should only agree the clauses that are relevant for their situation. The modules and/or options that do not apply should be deleted;
- The Docking Clause – One or several new parties may adhere to the SCCs with the consent of all the pre-existing parties. The formalisation of such consent is not regulated by the SCCs, but should be done in accordance with relevant provisions of the national law governing the SCCs. For example, if allowed under applicable contract law, one party may be appointed by the others to agree to the accession of a new party on behalf of all pre-existing parties. Once this authorisation is formalised, the new party will need to complete the Annexes and sign Annex I of the SCCs in order to make such accession effective. Amending the main agreement to which the SCCs are annexed, by adding parties to that agreement, is not sufficient to add parties to the SCCs. The Annexes to the SCCs must be updated when parties are added. For example, when new parties accede, these parties and their roles should be listed and, where relevant, the description of the transfers and applicable technical and organisational measures brought up to date accordingly;
- Form of Instructions given by Controller to Processor – According to Clause 7(1) of EU GDPR “The processor shall process personal data only on documented instructions from the controller”. The SCCs do not specify in which form the instructions shall be given, therefore the controller can decide to provide those instructions in whatever form that is deemed appropriate (e.g. in writing or orally, through online tools and technical signals), but on the condition that the instructions are documented;
- Deadlines – Agreements to transfer data concluded after 27 September 2021 must be based on the new SCCs. For those entities that entered into a transfer agreement based on the previous SCCs before 27 September 2021, a transition period is granted until 27 December 2022 to switch to the new SCCs. However, organisations have to switch to the new SCCs already before that date if the data processing operations that are governed by the contract are modified. Example: a data exporter and importer have concluded a service agreement before 27 September 2021, relying on the previous SCCs for their data transfers. In February 2022, there is a change in the prices set out in the service agreement. As this does not affect the processing of personal data under the SCCs, this change does not require the parties to switch to the new SCCs (although they will still have to do so by 27 December 2022). Example: a data exporter and importer have concluded a service agreement before 27 September 2021, relying on the previous SCCs for their data transfers. In February 2022, the parties agree that additional categories of data will be transferred. This change affects the processing of personal data under the SCCs and the parties therefore need to switch to the new SCCs;
- Scope – the SCCs can be used by controllers or processors that are subject to EU GDPR to transfer personal data to controllers or processors outside the EEA whose activities are not subject to EU GDPR. (i) First, the SCCs can be used by controllers and processors in the EEA to transfer data outside the EEA, in particular: by an EEA controller, to transfer personal data to a controller or processor outside the EEA that is not subject to EU GDPR; by an EEA processor, to transfer personal data to a sub-processor or to a controller outside the EEA (on whose behalf it is processing the data) that is not subject to EU GDPR. Example: a Czech company uses the SCCs to transfer data of its employees to a payroll provider in Singapore. (ii) Second, the direct applicability of the EU data protection rules extends to certain processing operations of controllers and processors outside the EEA, for example because they specifically target the EEA market by offering goods or services to individuals. The SCCs can therefore also be used by those non-EEA controllers and processors for data transfers related to these processing operations to non-EEA entities, in particular: by a controller outside the EEA whose processing is subject to EU GDPR to a controller or processor outside the EEA that is not subject to EU GDPR; by a processor outside the EEA whose processing is subject to EU GDPR to a sub-processor or to a controller outside the EEA (on whose behalf it is processing the data) that is not subject to EU GDPR. Example: a travel agency in Thailand is directly subject to EU GDPR pursuant to Article 3(2), because it offers tourist travel packages targeted at European customers (as the offer of these packages is made in languages used in the EEA, is adapted to the needs and preferences of European tourists, with the possibility to pay in Euro or another currency used in the EEA, etc.). To arrange accommodation in Thailand, the agency has an ongoing arrangement with a local hotel. The travel agency may use the SCCs (Module 1) to share the personal data of European tourists with the hotel. The SCCs cannot be used for data transfers to controllers or processors whose processing operations are directly subject to EU GDPR. The SCCs provide a comprehensive data protection framework that has been developed to ensure continuity of protection in case of data transfers to data importers that are not subject to EU GDPR. They do not work for importers whose processing operations are subject to EU GDPR pursuant to Article 3, as they would duplicate and, in part, deviate from the obligations that already follow directly from EU GDPR. The European Commission says that it is in the process of developing an additional set of SCCs for this scenario, which will take into account the requirements that already apply directly to those controllers and processors under EU GDPR;
- Multi-Module Approach – Several modules can be agreed between the same parties at the same time. The parties have to choose the module(s) that correspond to their situation. It may occur that the parties assume different roles for different data transfers taking place between them as part of their overall contractual relationship. If this is the case, they should use the appropriate module for each such transfer. For example, for some data transfers by a controller (data exporter), the data importer may act as a controller, whereas it may be a processor for others. In that case, the parties may use both Module 1 (for those transfers for which both the data exporter and data importer act as controllers) and Module 2 (for those transfers for which the data exporter acts as controller and the data importer as processor);
- Data Processing Agreements – For data transfers from controllers to processors, or processors to sub-processors, the requirements of Article 28 of EU GDPR have been incorporated into the SCCs. Companies therefore do not need to sign a separate contract to comply with Article 28 of EU GDPR. The requirements of Article 28 of EU GDPR have been incorporated into Module 2 (controller-to-processor transfers) and 3 (processor-to-processor transfers) of the SCCs. By using these modules, controllers and processors do not need to enter into a separate data processing agreement, as they can ensure compliance both with the requirements of Article 28 of EU GDPR and the requirements for international data transfers;
- Module 4 (Processor to Controller) Scenario – Module 4 should be used where a processor in the EEA is hired by a controller outside the EEA, either to collect data in the EEA on behalf of the controller or to process data received from the controller in the EEA. In those cases, the SCCs can be used by the processor to transfer the data (back) to its controller. Example: a Moroccan company uses cloud services offered by a Luxembourg company to store data on its customer database. The SCCs (Module 4) can be used to transfer the data from Luxembourg (by the data exporter) (back) to Morocco (to the data importer);
- Liability – The SCCs regulate two types of liability: liability of the parties towards data subjects; and, liability between the parties. Other clauses in a broader (commercial) contract (e.g. special rules on the distribution of liability, liability caps in the relationship between the parties) may not contradict or undermine these liability schemes of the SCCs. Conversely, it is important to note that this only applies to liability for violations of the SCCs themselves. The liability clauses of the SCCs do not affect liability provisions that may apply to other aspects of the contractual relationship between the parties;
- The Annexes – With respect to security, Annex II contains a list of examples of possible measures that can be put in place. The parties are not required to list each of these measures, but should describe those measures that are actually implemented by the data importer to ensure an appropriate level of security. Examples of information to be provided in the annexes include the following: (i) categories of data subjects whose data is transferred, e.g. employees, customers (natural persons), persons who are members of a loyalty programme, natural persons who have subscribed to e-mails, children to whom information society services are offered, etc.; (ii) categories of personal data transferred, e.g. name, surname, e-mail address, telephone number, address of the place of residence, national identification number, detailed information on payments, information regarding health records, etc.; (iii) purposes of the transfer and further processing, e.g. detecting unlawful activity, payroll administration, carrying out bank payments, providing customer support, market research, etc.; (iv) nature of the processing, e.g. storage, recording, publication, combination, sorting, dissemination, etc.; and, (v) period for which the data will be retained or the criteria used to determine that period: a specific period could for instance be determined by statutory requirements (e.g. X years) – when it is not possible to provide an exact period, it must be explained how the retention period will be determined, e.g. on the basis of industry guidelines, the duration of the processing agreement etc. If different categories of personal data are subject to different retention periods, each period must be described separately;
- Transfer Impact Assessment/“Schrems” Due Diligence – In line with the European Court Schrems judgment (C-311/18), Clause 14 of the SCCs requires the parties to assess, prior to concluding the SCCs, whether the laws and practices of the third country of destination applicable to the processing of the personal data by the data importer, could prevent the latter from complying with the clauses. In carrying out this “Transfer Impact Assessment”, the parties should take into account, in particular, the specific circumstances of the transfer (e.g. the categories and format of the data, the type of recipient, the economic sector in which the transfer occurs, and the length of the processing chain) and the laws and practices relevant in this context. As regards the impact on compliance with the SCCs, the parties may consider different elements as part of an overall assessment, such as reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer. In case of a negative assessment, the parties may only transfer data based on the SCCs if they put in place additional (“supplementary”) safeguards (e.g. technical measures to ensure data security, such as e.g. end-to-end encryption) that address the situation and thus ensure compliance with the clauses. Clause 14 of the SCCs should not be read in isolation, but should be used together with the detailed guidance prepared by the European Data Protection Board;
- Disclosure challenges – a data importer is not contractually required to challenge each request for disclosure it receives from a public authority. According to Clause 15(2) of the SCCs, the data importer has to review whether the requests it receives are lawful under the applicable domestic legal framework. If the importer considers that there are reasonable grounds to consider the request unlawful (e.g. if it is evident that the requesting authority has exceeded its powers), it should make use of the procedures available under its domestic law to challenge the request. If the data importer has challenged a request and considers that there are sufficient grounds to appeal the outcome of the procedure in first instance, such appeal should be pursued; and,
- Review – The next European Commission review of the EU SCCs is expected by 2024 and will also include an evaluation of the practical application of the SCCs.
What are the takeaways?
The FAQs are useful but organisations should also bear in mind that they are not legally binding.
We have reported on international data transfer issues here https://www.corderycompliance.com/datatransfers-ukdates/ and here https://www.corderycompliance.com/datatransfer-eutous/ and here https://www.corderycompliance.com/uk-idta/ and here https://www.corderycompliance.com/edps-on-data-trf-compliance/ and here https://www.corderycompliance.com/uk-consultation-scc-idta/ and here https://www.corderycompliance.com/new-eu-sccs/.
We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The European Commission’s questions and answers document on standard contractual clauses can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
The European Data Protection Board “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” can be found here: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en.
The 2021 EU SCCs can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|