On 4 June 2021 the European Commission by Decision 2021/914 adopted new sets of standard contractual clauses applicable to the transfer of personal data.
The need for the new wording of the clauses was predominantly dictated by technological developments, the need to bring them in line with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), and the judgment of the Court of Justice of the European Union in the case no. C-311/18, in the proceedings involving Facebook Ireland and Maximillian Schrems (so-called Schrems II) – declaring the Privacy Shield programme invalid.
What are standard contractual clauses?
The standard transfer of personal data pursuant to GDPR applies to transfers within the EEA area. While the transfer of personal data outside this area is not prohibited, additional conditions must be met in order for it to be possible.
Such transfers may take place to countries for which the Commission has issued an adequacy decision, declaring that an adequate level of data protection exists (at this time, adequacy decisions have been issued for countries such as: Canada, Switzerland, the United Kingdom of Great Britain and Northern Ireland, Japan, South Korea or Israel). If no adequacy decision has been issued by the Commission, such a transfer is also possible, provided that appropriate safeguards, which are listed in Article 46(2) and (3) of GDPR, are implemented. One of the ways to do that is to conclude an agreement between the entity transferring the data and the recipient of the data – containing standard contractual clauses as adopted by the Commission. The previous clauses were based on the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Decision 2001/497/EC and Decision 2010/87/EC), which is no longer in force.
What’s new in the contractual clauses and who needs to make changes?
The Commission adopted two new sets of clauses:
- standard clauses for data transfers to non-EEA countries, and
- a set of clauses that can be used as a basis for regulating data processing under Article 28(3) of GDPR, i.e. in a relation between a controller and a processor, both operating within the EEA. With that said, applying this set of clauses is voluntary – entities can continue to use their own processing agreement models. For this reason, we will move on to discussing the clauses that apply to transfer of data to non-EEA countries.
The new sets applicable to data transfer to non-EEA countries consist of a general part (clauses 1 – 7) and modular solutions – so that the parties can best reflect the relation between them in their agreement. What’s more, it is now permitted for the clauses to apply to more than two entities at a time.
Adoption of these new contractual clauses by the Commission means that the organisations that already use or intend to use standard contractual clauses for the transfer of data to non-EEA countries must now implement them.
What is the deadline for implementing the new contractual clauses?
The previous decisions (2001/497/EC and 2010/87/EC) expired with effect from 27 September 2021. However, a transitional period (until 27 December 2022) has been established to give the organisations the time to adapt to the new regulations. During the transitional period, it is allowed to transfer data based on the previous contractual clauses, provided that:
- the processing activities remain unchanged (please note: the types and extent of the data transferred are also relevant), and
- the application of the clauses provides adequate safeguards for personal data.
|Notwithstanding the above, from 27 December 2022 onwards, data transfers to non-EEA countries based on the standard contractual clauses can only take place using the new models. However, it must be remembered that negotiating contracts can be time-consuming – so our advice is that you should not postpone the negotiations. When negotiating new agreements during the transitional period, you should already be working on and using the new standard clauses.
New contractual clauses explained by the European Commission
As a response to what the market needs, the European Commission published a compilation of questions and answers related to the new standard contractual clauses (“The new standard contractual clauses – questions and answers overview”).
As mentioned there, the first step in implementing the new clauses consists in correctly defining the roles of the actors who will be involved in the data exchange process. Thanks to the modular design, clauses can be precisely tailored to the business situation at hand. The four modules, designed so that practical needs of the parties can be taken into account, are available for the following relations:
- controller – controller;
- controller – processor;
- processor – processor; and
- processor – controller.
Where complex relations exist, the parties may agree on using more than one module at the same time.
The clauses must be adopted as introduced by the Commission’s Decision and their content should not be modified by the parties. All that the parties need to do is to select the relevant modules, pick the options proposed within them, and then fill in the blank spaces provided. However, the parties may adopt additional safeguards to enhance the security of the personal data they process. It is important to remember that if far-reaching modifications are introduced, such clauses will not be considered as a legitimate basis for lawful data transfer. The use of such modified clauses would have to be approved by the competent supervisory authority (pursuant to Article 46(3)(a) of GDPR). Deletion of clauses also meets the criteria of clause modification – meaning that the parties may not delete clauses, save for such clauses that do not apply to their situation.
The clauses can either form a separate agreement or be integrated into the main contract. In doing so, the above-mentioned principles regarding the prohibition of modifications and the prohibition of including provisions that are in conflict with the standard clauses must be observed.
The Commission notes that it is most important that the clauses are concluded in a legally binding manner and that the commitments made in them are respected. It is also important to complete the annexes, which form an integral part of the clauses. The clauses do not contain any special form requirements for concluding them – the rules of the governing national law apply to any such agreement.
It seems that the new standard clauses reflect the problem that appeared in the wake of the Schrems II ruling. This is because, among other things, an obligation was imposed on the parties to carry out a “Transfer Impact Assessment” (TIA). Such assessment must include verification whether the law and the practices in the target country (in the country to which the data will be transferred), including any requirements for disclosure of personal data or measures authorising public authorities to obtain access to such data, will prevent the data recipient from fulfilling its obligations under the standard clauses (clause 14). If the result of the assessment is negative, such an agreement should no longer be used as the basis for the data transfer. The above obligation is imposed on both parties and holding such an assessment must be documented properly.
The take-away message
- Starting from 27 December 2022, new model standard contractual clauses will take effect. If your organisation transfers data to non-EEA countries based on the standard contractual clauses, you need to verify them;
- Until that date, you may continue to use contracts already in place, provided that the conditions discussed here are fulfilled.
Should you wish to find out more or need support on this topic – our team of experts is at your disposal.