In the absence of an adequacy decision or derogations, undertakings may only transfer personal data outside the European Economic Area (EEA) if the latter have provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
To do so, undertakings widely use Standard Contractual Clauses (SCCs) adopted by the European Commission as an appropriate safeguards mechanism.
The SCCs contain contractual obligations aiming to ensure compliance with the GDPR’s requirements and extend the scope of these rules to territories that are not considered to offer an adequate level of protection for the rights and freedoms of data subjects.
As the current SCCs were adopted by the European Commission under Directive 95/46, the predecessor of the GDPR, their content (which still referred to Directive 95/46) needed a major update.
In addition, the use of SCCs as an appropriate safeguards mechanism has been questioned by the Court of Justice of the EU (CJEU) in the Schrems II case (read our previous e-zine on the decision rendered on 16 July 2020, C-311/18). Although the CJEU confirmed that the SCCs may be an effective mechanism to protect EU citizens whose personal data are to be transferred outside the EEA and therefore acknowledged their validity in principle, it is of the opinion that a case-by-case analysis is necessary in order to evaluate whether the data importer in the third country will be able to comply with the SCCs in practice and whether the legal system of the third country does not prevent such compliance. Hence, while in the past it was assumed that the signing of the SCCs in and of itself rendered a transfer compliant, EU data exporters now have to carry out Transfer Impact Assessments (TIAs) prior to using the SCCs.
In light of the above, on 12 November 2020, the European Commission published new draft SCCs for public consultation. Feedback from no less than 148 organisations, especially business associations, has been received. In general, the updated SCCs were welcomed, but subject to certain remarks, suggestions and requests for amendment.
The final version of the set of SCCs has been adopted and published today (see link here).
WHAT’S NEW ?
There are now four (4) sets of SCCs:
- controller-to-controller transfers;
- controller-to-processor transfers;
- processor-to-processor transfers (new!); and
- processor-to-controller transfers.
The new SCCs provide more legal and privacy safeguards. The European Commission has further inserted some elements of transparency and accountability. For example, sub-processors will now have accept audits from the EEA-based controller.
The new SCCs also take into account the findings of the CJEU in the Schrems II case. As a result, the need for data exporters to perform a TIA prior to implementing the SCCs has now become a formal requirement and no longer based on EDPB guidance only. It is up to the EU data exporters to decide whether they only use SCCs or, given the legislation of the concerned third country, put in place additional (technical and/or organisational) safeguards, such as encryption and pseudonymised personal data.
Today’s decision of the European Commission on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 shall enter into force on the twentieth (20th) day following that of its publication in the Official Journal of the European Union. Undertakings will have eighteen months from the date of entry into force to replace any existing standard contractual clauses currently being relied upon to conduct international transfers of personal data with the new SCCs.
Do not hesitate to contact us should you have any questions on how to implement the new SCCs or how to proceed with a TIA.
