Date Published 25/11/2021
New Guidance for GDPR Standard Contractual Clauses
Further to the earlier adoption of new Standard Contractual Clauses the European Commission published Questions and Answers on 25 May 2022 on these to provide further clarity and assist stakeholders in their compliance with their obligations under the GDPR. There are 44 Q&As and they cover a range of issues including data transfers to third countries, individuals rights, obligations of importers and exporters, and interaction with local laws.
Background
New Standard Contractual Clauses (‘’SCCs’’) for the transfer of personal data from the European Union (“EU”) to third countries reflecting the decision of the EU’s Court of Justice in Schrems II (Case C-311/18) have been published by the European Commission (“EC”). The implementing decision was published in the Official Journal on 7 June 2021 and entered into force on 27 June 2021.
The role of SCCs is to ensure appropriate data protection safeguards for international data transfers and that any personal data transferred to a country outside the EU should be afforded with a level of protection that is essentially equivalent to that guaranteed within the EU under the GDPR.
The new SCCs combine general clauses with a modular approach in order to cater for various transfer scenarios and the complexity of modern processing. In addition to the general clauses, parties should carry out an assessment of the data transfer to tailor their obligations and select any module(s) which apply. Data Controllers and Processors are free to include the SCCs in wider contracts and to add other clauses or additional safeguards. However, they must ensure that any additional clauses and safeguards do not contradict the SCCs or prejudice the fundamental rights or freedoms of data subjects.
Two or more parties can adhere to the SCCs and the new SCCs also allow for third parties to become a party at a later stage. Any onward transfers to a third party should only be permitted if the third party accedes to the SCCs, if the continuity of protections is ensured in an alternative manner or in specific compliant situations, for example with the informed consent of the data subject.
The new SCCs replace all previous SCCs, however, any contracts concluded before 27 September 2021 on the basis of previous authorities (Namely Decision 2001/497/EC or Decision 2010/87/EU) shall be deemed to provide appropriate safeguards until 27 December 2022, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
Other Updates
In addition to the new SCCs a range of other measures impacting the data protection environment in the EU are of note. These include new guidance from the European Data Protection Board (“EDPB”) and further details of these are available upon request.
Recommended Action:
It is advisable for new contracts to include the revised SCCs from 27th June 2021. While existing contracts with the old SCCs will be valid for 18 months, we recommend reviewing any existing such contracts in order to determine any necessary updates. In addition, it will be appropriate to ascertain if there will be practical operational difficulties caused by having two forms of contract in use. All relevant parties should have a full understanding of the new SCCs. Negotiations and communication with counterparties should commence as soon as possible and draft agreements should be prepared to ensure a timely adoption of the new SCCs. The evolving nature of relevant law and the penalties for non-compliance underline the need to focus on such GDPR related issues.
Author:
Mark Browne
Partner of Asset Management and Funds