International Data Transfers – Scope of the New Standard Contractual Clauses

With MODULE 3 there is a contract that legitimizes the transfer of data from contract processors to contract processors. This means that the processing chain can also be secured between the processor and the sub-processor. A distinction must be made between a number of case constellations:

The recitals of the European Commission for the Implementing Decision (EU) 2021/914 of June 4, 2021 provide for MODULE 3 to be applied if the processor is located in the EU and the processor transmits the data to a subcontractor in a third country (EC 9). Furthermore, EC 7 takes into account the cases in which neither the processor nor the sub-processor are located in the EU – but only if the processing is subject to Article 3 (2) GDPR. This means that the GDPR is applicable because the data transfers are related to offering goods or services to data subjects in the EU (lit. a) or observing the behavior of the data subjects insofar as this takes place in the Union (lit. . That’s the theory.

However, if you take a closer look at the constellations that arise in practice, you quickly come to the point that this – at least not directly – covers all applications.

The transfer of data from a processor in a third country to a sub-processor in the same or in another third country must be considered separately, regardless of whether there is an adequacy decision pursuant to Art. 45 GDPR.

For this purpose, Art. 44 S. 1 Hs. 2 GDPR sets out comprehensive requirements when it says that any further transmission of personal data from a third country or within the third country (see EG 101 on the GDPR) is only permitted if the provisions the GDPR are complied with.

This requirement can be interpreted in such a way that the business partners in third countries are not necessarily subject to all the requirements of the GDPR. The person responsible, who is based in the EU and is therefore subject to the GDPR, but is also responsible for this onward transmission. This is already evident in Art. 28 Paragraph 1 and Paragraph 4 GDPR, where the data does not yet leave the European area.

As a consequence, this means that cooperation with companies outside the EU and without an adequacy decision can only be welcomed if the standard contractual clauses are concluded – on a voluntary basis.

The consequences of this for cooperation with companies from the UK, for example, for which there is an adequacy decision with an expiry date, remains to be seen with excitement.

We are happy to help if you have any questions about international data transfers or other data protection issues! Simply use our contact form. We can be reached by phone at the headquarters in Hutthurm on +49 (0) 8505 91927-0. The telephone number for our branch in Munich is +49 (0) 89 413 2943 – 0.