On 25 May, the European Commission released new guidance on Standard Contractual Clauses. It’s a set of 44 questions and answers (Q&A) that deals with a variety of practical issues that stakeholders frequently encountered when using the new SCCs in the first months after their adoption.
For most, the SCCs are still a difficult concept to grasp – and one that seems to have constant updates and guidance. This blog will break down the highlights of the guidance in the Q&A, with the key information you need to know.
But first, a brief recap: what are the new SCCs again?
On 4 June 2021, the European Commission (EC) adopted two new sets of Standard Contractual Clauses: one for use between controllers and processors and one for the transfer of personal data to third countries. These were updated to reflect the requirements of the General Data Protection Regulation (GDPR). The SCCs were modernised to make them more user-friendly and cover additional transfer scenarios; for example, transfers from processor to sub processor.
Any ‘old’ SCCs that were entered into prior to September 27, 2021 remain valid until December 27 of this year. However, past this date, organisations that rely on Standard Contractual Clauses for transferring personal data must adopt the updated version which addresses the requirements of the Schrems II judgement. This case stressed the importance of the use of transfer impact/risk assessments when transferring personal data. Under the new SCCs, Transfer Impact Assessments are now an express contractual requirement. (You can read all about the new SCCs in our previous blog here.)
Commission’s Q&A breakdown
The Q&A document is divided into three parts: Standard Contractual Clauses, Standard Contractual Clauses between controllers and processors and Standard Contractual Clauses for data transfers to third countries. The EC has confirmed that this will be a “dynamic” document that will be updated as new questions arise.
Here are the top 10 things to note from the guidance to help organisations comply with the GDPR.
1. Are there specific requirements for the signature of the SCCs by the parties?
The SCCs don’t contain any requirements on how the signature should be formalised. This is decided by national (civil/contract) law governing the agreement.
2. Can parties add additional clauses to the SCCs or incorporate the SCCs into a broader commercial contract?
If they wish, organisations can supplement the SCCs with additional clauses or incorporate them into a broader commercial contract. The additions must not contradict other contractual provisions along with SCCs themselves, either directly or indirectly. The provision must also not affect the rights of the data subject.
3. Can the parties delete modules and/or options that don’t apply to their situation?
The guidance states that parties should only agree to the clauses that are relevant for their situation. They should delete any modules and/or options that don’t apply.
4. What’s the purpose of the docking clause?
The docking clause is an optional clause by which the parties to the SCCs can choose to agree that additional parties may join the contract in the future. This provides the parties with flexibility in case of changes involving the entities participating in the contract.
5. Are data exporters and importers that still use the ‘old’ SCCs required to switch to the new ones adopted in 2021?
Yes, transfer agreements that organisations entered into after 27 September 2021 must be based on the new SCCs. For organisations that entered into a transfer agreement before that date have until 27 December 2022 to switch to the new SCCs.
6. What happens when a new party accedes to the SCCs?
The Annexes to the SCCs must be updated when parties are added. For example, when new parties agree these parties and their roles should be listed and, where relevant, the description of the transfers and applicable technical and organisational measures.
7. Is the processor required to provide the name(s) of the sub-processor(s) it engages to the controller?
Yes. In both cases, the processor has to provide the name(s) of the individual sub-processor(s) to the controller so that the latter can decide on the authorisation of the selected sub-processor(s). It’s not sufficient for the processor to provide only the categories for the sub-processors.
8. SCC Liability
The SCCs regulate two types of liability: (1) liability of the parties towards data subjects; and (2) liability between the parties. Other clauses in the broader (commercial) contract (e.g., special rules on the distribution of liability, liability caps in the relationship between the parties) may not contradict or undermine these liability schemes of the SCCs.
It’s important to note that this only applies to liability for violations of the SCCs themselves.
9. Can these SCCs be used for data transfers to controllers or processors whose processing operations are directly subject to the GDPR?
No. These SCCs provide a comprehensive data protection framework that has been developed to ensure continuity of protection in case of data transfers to data importers that are not subject to the GDPR. They don’t work for importers whose processing operations are subject to the GDPR pursuant to Article 3. The EU Commission is in the process of developing an additional set of SCCs for this scenario.
10. Can the SCCs only be used for international data transfers under the GDPR?
Several other jurisdictions have endorsed the EEA Standard Contractual Clauses as a transfer mechanism under their own national data protection legislation. For example, the UK has done so with limited formal adaptations to its domestic legal order.
December 27, 2022 is the date to save – and it’s getting closer. By then, organisations that rely on SCCs for transferring personal data need to have implemented the new SCCs. As the date approaches, the Commission’s 24-page Q&A helps, and you also can use our breakdown as a helpful review of the main points.
Cliona Perrick is a data protection analyst with BH Consulting