On 4 June 2021, the European Commission (hereinafter “EC”) published the long-awaited final Implementing Decision (and its Annex) adopting new standard contractual clauses for the transfer of personal data to third countries (“new SCCs”). This document updates and restructures the previous SCCs published by the European Commission (2001/497/EC, 2004/915/EC and 2010/87/EU).
The provisions are very similar to the draft text issued by the EC on 12 November 2020 and submitted to consultation. In a nutshell, in comparison to the draft SCCs, the definitive version of the new SCCs:
- has a clearer structure;
- adds more detailed provisions (notably regarding local laws and practices affecting compliance with the SCCs) and is more aligned with the wording of the GDPR; and
- introduces a longer transitional period.
What’s new and what practical impact of the new SCCs?
Modular basis approach based on various scenarios
As already explained in our previous news, the new SCCs combine general clauses with a modular approach covering four data transfer scenarios and the complexity of a modern processing chains (“data exporter-to-data importer transfers”):
- Controller-to-Controller (C2C) transfers
- Controller-to-Processor (C2P) transfers
- Processor-to-Processor (P2P) transfers [new]
- Processor-to-Controller (P2C) transfers [new]
From a contractual point of view:
- The data exporter and the data importer are free to include those SCCs in a wider contract and to add other clauses or additional safeguards.
- These one should however not contradict (directly or indirectly) the SCCs or prejudice the fundamental rights or freedoms of data subjects.
- However, in the event of a contradiction between the clauses of the SCCs and the provisions of related agreements between the parties, the SCCs shall prevail. This should therefore be taken into account when drafting contracts, particularly with regard to precedence order clauses.
- In addition, the SCCs are designed in a way that allows the parties to use them in a multi-party setting. Additional party may therefore accede to the SCCs as controllers or processors throughout the lifecycle of the agreement which they form a part. This new approach can be very helpful to facilitate multi-party contractual schemes (notably for intra-group data transfers).
Schrems II issues
The new SCCs have been reviewed in the light of the CJEU’s decision in Schrems II.
The new SCCs contain further provisions imposing on the data exporter and data importer to assess the local laws in the recipient country as well as the risks of data access by the public authorities.
As a general principle, the data exporter and importer shall warrant that “they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses [SCCs]”.
In particular, the new SCCs (articles 14 and 15) give more guidance on local laws and practices affecting compliance, e.g. key factors to be considered as part of an overall assessment.
In that sense, the data exporter shall warrant that it has used reasonable efforts to determine that the data importer is able to satisfy its obligations under the SCCs.
According to the EC, such ability could be made possible especially through the implementation of appropriate technical and organisational measures. The EC encourages the parties to have – in particular – recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. At the end of the day, the drafting of reliable warranty and audit clauses (aiming to ensure that the data importer will ensure an appropriate level of protection to the transferred data, and ultimately not place the data controller in breach of its obligations) will be all the more necessary.
For its part, the importer shall, notably:
- make its best efforts to provide the data exporter with all relevant information.
- promptly notify the data exporter if it:
- has reason to believe that it is or has become subject to laws not in line with the protection granted by GDPR,
- receives a legally binding request by a public authority under the laws of the country of destination for disclosure of personal data.
- becomes aware of any direct access by public authorities to transferred personal data.
- review, under the laws of the country of destination, the legality of such request for disclosure and to exhaust all available remedies to challenge the request if possible, under applicable laws.
What’s next?
In short:
- The new SCCs were adopted on June 4, 2021 – Commission Implementing Decision (EU) 2021/914.
- They must be used in new contracts since September 27, 2021.
- The old SCCs must be replaced by the new ones by December 27, 2022.
Our advice:
“Oh dear! Oh dear! I shall be too late!“, say the Rabbit.
Don’t worry! Our Privacy and Data Protection team is as of now at your disposal to assist you in the compliance assessment of your international data transfers by:
- implementing these new SCCs; and
- considering whether supplementary measures should be taken (see our previous news here and here).
You can also review our webinar on the subject here.