Innovations
In drafting the new standard contractual clauses, the European Commission has taken into account, at least in part, the requirements of the specific standards for the transfer of personal data to third countries (Art. 44 et seq. GDPR) and the requirements of the European Court of Justice (ECJ) from its Schrems II ruling of July 2020.
Art. 46 (1) GDPR sets out the basic requirements: it requires that a data transfer to a third country may only take place if the controller or processor has provided appropriate safeguards and if enforceable rights and effective remedies are available to the data subjects.
The European Commission also explicitly addresses this in its implementing decision of 4th June 2021 by clarifying that such safeguards exist in the form of the standard contractual clauses issued by the Commission pursuant to Article 46(2)(c) of the GDPR. However, it does not cover the second requirement, namely that enforceable rights and effective remedies must be available to data subjects.
It follows that before data is transferred to the destination country, an assessment must be made as to the level of data protection in the destination country and the rights and remedies available to data subjects.
It is welcome that the new standard contractual clauses include regulations on liability vis-à-vis the data subject. In addition, a section has been integrated that contains regulations, especially in the case of binding requests and in the case of access to the data by authorities.