A light at the end of the tunnel? The new standard contractual clauses on the transfer of personal data to third countries

On 4th June 2021, the European Commission adopted the new standard contractual clauses for the transfer of personal data to third countries in accordance with the GDPR.

The new standard contractual clauses, the GDPR speaks of standard data protection clauses (Art. 46 para. 2 lit. c) GDPR), will enter into force at the end of June 2021 and will replace the existing contracts for controllers and for processors.

Innovations

In drafting the new standard contractual clauses, the European Commission has taken into account, at least in part, the requirements of the specific standards for the transfer of personal data to third countries (Art. 44 et seq. GDPR) and the requirements of the European Court of Justice (ECJ) from its Schrems II ruling of July 2020.

Art. 46 (1) GDPR sets out the basic requirements: it requires that a data transfer to a third country may only take place if the controller or processor has provided appropriate safeguards and if enforceable rights and effective remedies are available to the data subjects.

The European Commission also explicitly addresses this in its implementing decision of 4th June 2021 by clarifying that such safeguards exist in the form of the standard contractual clauses issued by the Commission pursuant to Article 46(2)(c) of the GDPR. However, it does not cover the second requirement, namely that enforceable rights and effective remedies must be available to data subjects.

It follows that before data is transferred to the destination country, an assessment must be made as to the level of data protection in the destination country and the rights and remedies available to data subjects.

It is welcome that the new standard contractual clauses include regulations on liability vis-à-vis the data subject. In addition, a section has been integrated that contains regulations, especially in the case of binding requests and in the case of access to the data by authorities.

Handling of the new standard contractual clauses

The standard contractual clauses are available in four modules and can now be concluded for the following constellations:

Module 1: Data transfer between controllers

Module 2: Data transfer between controller and processor

Module 3: Data transfer between processors – this covers data transfer from a processor to its sub-processor.

Module 4: Data transfer between processor and controller – in contrast to Module 2, here the processor falls within the scope of the GDPR and the controller is located in a third country.

The new standard contractual clauses may not be modified as such. However, they may be incorporated into a more comprehensive contract and extended to include additional guarantees and/or clauses, provided that these do not directly or indirectly conflict with the standard contractual clauses or interfere with the fundamental rights or freedoms of the data subjects.

Significance for third-country transfers to the U.S.

The new standard contractual clauses cannot solve the problem, namely the conflict with national law of third countries. This also applies, among other things, to data transfers to the USA. There, for example, the so-called Cloud Act allows U.S. intelligence services to access the personal data of EU citizens processed or transferred in the U.S. under certain conditions. The European Commission explicitly states in Recital 19 that “the transfer and processing of personal data under standard contractual clauses should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses.” Recital 20 proposes to address this through further safeguards, including contractually agreed technical and organizational measures.

In the case of transfers to third countries, data-exporting companies will have to examine in detail which laws the data importer in the third country and, if applicable, further recipients are subject to and whether these laws, affect the guarantees given by them with the signing of the standard contractual clauses. So the suspense continues.

Measures required now

The European Commission’s implementing decision provides a transition period of 18 months, until the end of December 2022, for data transfers based on the previous standard contractual clauses. During this time, contracts must be converted to the new standard contractual clauses. New contracts that are only now being concluded should, if possible, be based on the new standard contract clauses with immediate effect. This will avoid the need for a further conversion of contracts and the associated renewed contract negotiations.

For our customers, we always keep an eye on the latest developments on this topic and approach them – as the responsible parties – if there is a concrete need for action. We provide our customers with comprehensive support and advice when implementing the necessary measures.

If you need assistance with the application of the new standard contractual clauses or advice in connection with data transfers to third countries, please feel free to contact us. We will be happy to advise you on this, and all other topics related to data protection. Make an appointment here!

Schlagworte: GDPR, Data processing