After Schrems II: New EU Standard Contractual Clauses (SCC) come into force
The new clauses provide more flexibility. At the same time, the requirements for data export are increasing.
With the new standard contractual clauses (SCC), the EU Commission is providing a new framework for data transfers to countries that do not have the same level of data protection as the European Union. After the European Court of Justice declared the EU-US Privacy Shield invalid last year, data transfers to the US in particular presented many companies with major challenges. The new clauses create more clarity and flexibility. At the same time, however, the requirements are increasing. If the old EU's standard clauses are currently agreed, they must be replaced by the new clauses by 27 December 2022 at the latest.
The exchange of personal data with service providers, business partners or affiliates in a country outside the European Economic Area (EEA) is now part of the practice in many companies. Last year, the European Court of Justice declared the EU-US Privacy Shield (which previously served as the basis for data transfers to the US) invalid with immediate effect (ECJ C-311/18 - "Schrems II"). Since then, the focus has once again been on the so-called EU standard contractual clauses (Art. 46(2)(c) DS-GVO) ("SCC") as an instrument for the international data transfer.
Against the background of the Schrems II procedure and increasingly complex international processing chains, the EU Commission published new SCC on 04 June 2021. They will come into force on 27 June 2021. With a transition period of three months, the previous SCC can continue to be agreed. By 27 December 2022, all old SCC must be replaced, otherwise the basis for the international data transfer will cease to apply.
The clauses provide for a modular approach. They allow different constellations with multiple contracting parties to be mapped and always apply when personal data is transferred to a recipient in a third country (data importer) to which the GDPR does not apply directly. This also includes transfers by companies in a third country to which the GDPR applies due to their activities. The various modules of the clauses provide for the following constellations of data transfer:
- Controller to which the GDPR applies (data exporter) - other controller in the third country (data importer).
- Controller to which the GDPR applies (data exporter) - processor in the third country (data importer)
- Processor in the EU (data exporter) - sub-processor in the third country (data importer)
- Processor in the EU (data exporter) - principal (controller) in the third country (data importer).
In addition, the SCC allow additional parties to join the agreement as a data exporter or data importer with effect for the future.
Depending on its role, the SCC contractually subject the data importer to the essential principles and obligations of the GDPR. These include, in particular, the
- Binding to the principles of accuracy and data minimization and storage limitation,
- Ensuring the security of data processing,
- Compliance with information and notification obligations as well as data subject rights.
The accountability obligations of the parties also explicitly refer to compliance with the agreed SCC.
Finally, the standard contractual clauses for the first time contain provisions with which the requirements for order processing pursuant to Art. 28. paras. 3 and 4 GDPR can be effectively agreed. This is not only relevant for order processing in an international context.
The EU Commission is also responding to risks to the protection of personal data resulting from regulations and authority practices in the recipient country. The extensive access to data by U.S. security authorities had prompted the ECJ in the Schrems II proceedings to deny the U.S. an "essentially equivalent level of protection" in data protection. Under the new SCC, the parties must therefore assure each other prior to data transfer that they have no reason to believe that such circumstances will prevent the data importer from fulfilling its obligations. With regard to access by authorities to data at the data importer, the data importer is subject to comprehensive notification and action obligations (in particular to defend against the measures).
This means that it is still not possible to transfer data to a third country if the data there is not safe from extensive access by the authorities. The new SCCs are also unable to solve this dilemma.
Need for action:
In the future, data exporters will have to take special care in selecting recipients in the third country and in documentation. In addition, special assurances and guarantee declarations will be required for both parties.
Within the transition period of 18 months, companies are required to replace all previously agreed SCC and implement the resulting obligations.
Published: June 2021
New challenges for the digitization of Germany: what the IT Security Act 2.0 and the new KRITIS-Ordinance entail
Expanded group of addressees, additional obligations and impact on supply chains – an overview