What happened?
On 25 May 2022, exactly 4 years after entry into force of the General Data Protection Regulation (“GDPR”), the European Commission (the “Commission”) released new guidance on Standard Contractual Clauses (the “SCCs”). Earlier in 2021, the Commission adopted a new set of SCCs aiming at providing greater flexibility for cross-border data transfer of personal data from the European Economic Area to third countries not benefiting from an adequacy decision. The Commission published Questions and Answers on SCCs based on feedback received from various stakeholders and addressing 44 practical questions raised about the new modular-type SCCs (the “Q&A”).
What are the key takeaways?
The Q&A confirms that the text of the SCCs may not be altered except (1) to select modules or specific options offered in the text, (2) to complete the text where necessary (3) to fill in the Annexes or (4) to add additional safeguards. None of these actions are considered as altering the core text.
However, the parties may supplement the SCCs with additional clauses or incorporate them into a broader commercial contract, as long as the other contractual provisions do not contradict the SCCs, either directly or indirectly, or prejudice the rights of data subjects.
The Q&A also provides practical guidance with respect to the “docking clause” which is an optional clause allowing an additional party to join a contract. All the pre-existing parties may provide consent. The formalisation of such consent is governed by national law and not by the SCCs. In order to make the accession of the contract effective, the new party will need to complete the Annexes and sign Annex I of the SCCs. Upon accession to the SCCs the party will assume all the rights and obligations according to its role and the other parties will simultaneously have the relevant rights and obligations vis-à-vis the new party.
SCCs can be signed electronically if the national law governing the agreement allows conventions to be signed electronically.
The Commission also confirmed that processors are required to provide the names of their respective sub-processors. It is not sufficient for the processors to provide only the categories for the sub-processor.
Finally, the Q&A provides important guidance on the four different modules to the SCCs, the contexts in which they are to be used as well as how the new SCCs are to be used in a post Schrems II1 context (read more about the Schrems II case here).
Next steps
Transfer of personal data outside of the EEA to countries not benefiting from an adequacy decision can only be made if the data exporter –i.e. you or the (sub-)processor, as applicable– provide appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
SCCS may, depending on the circumstances, provide such appropriate safeguards. Hence, if you or any of your (sub-)processors processing personal data on your behalf or, in turn, on behalf of your own processors transfer or intend to transfer personal data as mentioned above, SCCs might be the right choice. SCCs might need to be supplemented by specific measures according to the situation at hand.
We can provide you with any advice in this respect. We have developed an internal tool to quickly and efficiently provide you with the SCCs modules or any of them alone that your transfers require!
1.Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.