New Standard Contractual Data Protection Clauses for International Data Transfer and Standard Contractual Clauses for Contract Processing
This month, the European Commission published the final version of the new "standard data protection clauses" for transfers of personal data to third countries and, at the same time, the final version of the "standard contractual clauses" (SCCs) for order processing contracts for processing in the EU.
With the new "standard contractual claus-es" for order processing contracts, the Commission is now for the first time creating an EU-wide uniform contract template for order processing constellations in the EU and is for the first time making use of its discre-tionary powers granted under Article 28 (5) of the GDPR.
These "standard data protection clauses" replace the standard contractual clauses for controllers from 2001 and standard contractual clauses for processors from 2010 for the transfer of personal data to third countries (see Article 46 (2) (c) of the GDPR).
They provide for a number of changes compared to the previously applicable standard contractual clauses. In particular, the new "standard data protection clauses" are to apply in the sense of a modular approach both to transfers between controllers (module 1) and transfers to processors (module 2). In addition, the new clauses should also be able to be used for a (further) transfer from a processor to further (sub-) processors (module 3) as well as for a transfer from a processor to a controller (module 4).
According to the EU Commission, the new "standard data protection clauses" also take into account the requirements of the European Court of Justice (ECJ) from its Schrems II decision (Schrems v. Facebook). In our last data protection newsletter, we informed you that companies can no longer rely on the EU Commission's adequacy conclusion regard-ing the EU-US Privacy Shield when transfer-ring personal data to the USA. The USA was with it classified as an "insecure" third coun-try under data protection law.
The background to this is that, under data protection law, any transfer of personal data to a third country (countries outside the EU/EEA) is only permitted if the conditions set out in Art. 44 et seq. GDPR are complied with. Accordingly, a data transfer to unsafe third countries is possible, among other things, by including the EU Commission's EU standard contractual clauses. These "instruments" are intended to ensure compliance with the European data protection principles and security requirements for the protection of personal data outside the EU/EEA.
The old SCCs have now been replaced by the new "standard data protection clauses"; these will be effective from June 27, 2021 and can be used by data exporters and importers from this date. For data controllers and processors currently using the existing SCCs for transfers to third countries, the decision on the new "standard data protection clauses" provides for a transition period of 18 months.
It should be noted that in its decision on the "standard data protection clauses" (para. 19), the EU Commission explicitly points out that the transfer of personal data on the basis of the standard data protection clauses should not take place if the law and legal practice in third coun-tries prevent the data importer from com-plying with the contractual obligations.
Data-exporting companies will therefore have to separately review in detail all transfers of personal data to third countries based on "standard data protection clauses" when using the new "standard data protection claus-es". In our opinion, the following must be examined,
-which laws the respective data importer inthe third country and any other recipients towhom the data is to be transferred are subject to, and
-whether these laws affect the guaranteesgiven by them when signing the "standarddata protection clauses".
For this purpose, it is essential to analyze the specific data transfers in detail and to determine which laws of the third country apply in each case.
We therefore recommend that you review existing contracts in good time and take the necessary steps to update them.
If you have any questions, please do not hes-itate to contact us!