11 June 2021
On 7 June 2021, the European Commission finally published the long-awaited new standard data protection clauses or "standard contractual clauses" (SCCs), which will replace the now obsolete clauses from 2001/2004 and 2010 respectively. The new standard contractual clauses do not only implement (some of) the requirements of the Schrems II decision by the CJEU, but also adapt the clauses to the specifications of the GDPR. Since the new standard contractual clauses completely replace the old clauses, there are already several measures that companies can take in preparation for the switch.
According to Chapter V of the GDPR, the transfer of personal data from the European Economic Area (EEA) to countries outside the EEA is only permissible if an adequate level of data protection is ensured at the data recipient. In order to ensure such an adequate level of protection, the GDPR provides, inter alia, for the possibility of using standard data protection clauses adopted pursuant to Article 46(2)(c) of the GDPR. On 7 June 2021, the European Commission published a new set of standard contractual clauses which replaces the previous clauses from 2001/2004 and 2010, which were issued under the former Data Protection Directive. The new standard contractual clauses for cross-border transfers of personal data are the European Commission's response to the CJEU's Schrems II decision (CJEU, judgment 16.7.2020 - C-311/18) as well as to the "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data" published by the European Data Protection Board (EDPB).
The new standard contractual clauses differ significantly from the old ones, beginning with their scope of application: While the old clauses could only be concluded between data exporters within the EU and data importers outside the EU, the new clauses can now also be concluded with data exporters who are established outside the EU but to whom the GDPR applies pursuant to Art. 3 (2) GDPR (e.g. due to the “destination principle”, because they offer goods or services to data subjects in the EU, or monitor their behavior). Data importers on the other hand are only covered if they are established in a third country and the GDPR does not apply to them. This problematic as it leaves no room for justifying data transfers to non-EU countries based on SCC if the GDPR applies to data importers despite their establishment outside the EU.
In contrast to the old clauses, there are no longer different "sets" for the various cases of application, but only one "modular" document which must be adapted to the specific case. The new standard contractual clauses must generally be used without any amendments in order to have full effect. However, "breaking up" the modular structure and subdividing it into individual modules is just as possible as integrating it into a more comprehensive contract or adding additional guarantees, Clause 2 lit. a.
The parties can choose between four modules: Controller-Controller (Module 1, "C2C"), Controller-Processor (Module 2, "C2P"), Processor-Processor (Module 3, "P2P") and Processor-Controller (Module 4, "P2C").
Modules 1 and 2 correspond in principle to the constellations depicted in the old clauses, but adapt the clauses to the specifications of the GDPR and define the obligations of the parties involved in greater detail. In addition, Module 2 - unlike the old clauses - meets the requirements of a processing agreement pursuant to Article 28 (3) of the GDPR, which eliminates the need to conclude a separate data processing agreement in addition to the standard contractual clauses.
The long-awaited Module 3 also serves not only as a third-country transfer instrument, but also as a (sub)processing contract. It contains a separate regulation for international data transfers between processors. This is intended to simplify cases of complex processing chains where an EEA-based (main) processor uses sub-processors in third countries. This constellation was not covered by the old clauses. Thus, in this case the supervisory authorities required a direct agreement of the standard contractual clauses between the controller in the EEA and the third-country sub-processors, which was difficult to handle in practice.
In Modules 1 to 3, the data importer submits itself to the jurisdiction of the competent supervisory authority, Clause 13 lit. b, and agrees to submit to audits by the supervisory authority and to comply with measures taken by the respective authority, including remedial and compensatory measures.
Module 4 contains clauses specifically for situations where a processor subject to the GDPR transfers data to a third country controller not subject to the GDPR. However, in contrast to the modules 2 and 3, module 4 complies with Art. 28 GDPR only in parts. This makes an additional data processing agreement between the third country controller and the processor necessary.
The new standard contractual clauses are to apply exclusively to data importers who are not themselves subject to the GDPR, so that third-country controllers will meet the requirements of Module 4 only “as a favour” to their EU data processors; only for the latter there is actually a reason to work towards concluding the clauses: The commissioning of a European processor by a third country controller would not only result in compliance obligations of the European processor, but also of the third country controller not affected by the GDPR, so that recourse to a non-European processor might be preferable from the perspective of the third country controller.
The new standard contractual clauses provide for the possibility for data subjects to claim compensation for damages resulting from a party breaching the third-party beneficiary rights under the standard contractual clauses pursuant to Clause 12 lit. b.
Clause 5 now expressly stipulates that the standard contractual clauses take precedence over any deviating agreements in other contracts. Clause 12 - also new - provides for unlimited liability of both parties and an indemnification obligation. The interplay between the priority provision and the liability clause will make it difficult for the parties to deviate from data transfer-related liability.
Unlike under the old clauses, the choice of law and place of jurisdiction are no longer determined by the data exporter's place of business: There can be a (relatively) free choice among the EU member states; in the case of Module 4, even third-country jurisdictions can be considered.
The new - optional - docking clause, Clause 7, allows third parties to join existing standard contractual clauses without having to conclude separate contracts. This is welcomed from a practical point of view.
Further, the new standard contractual clauses provide for extensive documentation obligations regarding the compliance with the clauses’ obligations, in particular for the data importer.
With Clauses 14 and 15 of the new standard contractual clauses, the European Commission takes into account the CJEU judgment in the Schrems II case (CJEU, judgment of 16 July 2020 - Case C-311/18). The clauses should be read having in mind the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Clauses 14 and 15 apply in principle to all modules, with the limitation that they only apply under Module 4 when the EU processor combines data received from the third country controller with data collected by the EU processor.
The clauses provide for an obligation to conduct a transfer impact assessment, Clause 14, and contractual obligations to handle government requests for data access, Clause 15.
Clause 14 provides for an obligation to conduct a transfer impact assessment. The clause basically focuses on laws and practices in the respective third country of destination, but seems to allow for a risk-based approach in that, according to Clause 14 lit. b, the following aspects, inter alia, are taken into account when assessing the level of data protection:
The standard for the protective measures to be taken under the new standard contractual clauses also appears to be lower than that applied by the data protection supervisory authorities. The authorities have so far been rather critical of purely contractual and organizational measures - and in particular of a risk-based approach to the adoption of additional safeguards.
The assessment made shall be documented and released to the competent supervisory authority upon request, Clause 14 lit. d.
The new Clause 15 provides for detailed rules in the event that a public authority requests that the data importer hand over transferred data:
The importer is subject to notification obligations vis-à-vis the data exporter and data subjects regarding binding authority requests for disclosure of personal data, Clause 15.1 lit. b. These obligations also apply in the event that the data importer becomes aware of any other access to data by an authority. If such notification to the data exporter is prohibited, the data importer shall seek to have the prohibition lifted, Clause 15.1 lit. b. Further obligations under Clause 15.1 also include, to the extent that it is permitted, the regular preparation of "transparency reports" on the authority data access requests received, Clause 15.1 lit. c.
It is incumbent upon the data importer to investigate the legality of the official request for surrender. In the event of an unlawful request, the data importer must take legal actions to avoid the surrender of the transferred data, Clause 15.2 lit a. Here, too, the data importer is subject to comprehensive documentation obligations with regard to its legal assessment which needs to be provided to the competent data protection supervisory authority at its request, Clause 15.2 lit. b. Furthermore, the importer may only disclose to the requesting authority the minimum amount of data required "based on a reasonable interpretation of the request", Clause 15.2 c.
The new standard contractual clauses enter into force on 27 June 2021. Starting from this date, the old clauses can still be agreed for a period of further three months, until 26 September 2021. From 27 September on, only the new standard contractual clauses can be concluded. During a transition period of further 15 months, data transfers can continue to take place on the basis of the old clauses; from 27 December 2022 onwards, all data transfers must be switched to the new standard contractual clauses.
Companies should therefore already take the following precautions: