Implementation of New Standard Contractual Clauses

On 12 November 2020, the European Commission (Commission) published a draft Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (GDPR) along with its draft set of new standard contractual clauses (the New SCCs).

Background: Restricted Transfers Under GDPR

The GDPR primarily applies to controllers and processors located in the European Economic Area (EEA), with some exceptions. Individuals risk losing protection under the GDPR if their personal data is transferred outside of the EEA. The GDPR, therefore, restricts such transfers ('restricted transfers'), unless rights of individuals are protected in another way or an exception applies.

A restricted transfer can be made if it is necessary to meet your purposes and one of the following three conditions are satisfied:

1. If the country or territory where the data recipient is located, or the specific sector in that territory in which the data recipient operates, is subject to the Commission's 'adequacy decision'.

2. If there is no relevant adequacy decision, but you have implemented one or more of the 'appropriate safeguards' listed in the GDPR. These safeguards are to ensure you and the recipient are legally required to protect individuals' rights and freedoms for their personal data. One example is that you and the data recipient based outside the EEA have entered into a contract incorporating standard data protection clauses adopted by the Commission (i.e., standard contractual clauses (SCCs)). The Commission has adopted four sets of SCCs under the GDPR. The draft Implementing Decision seeks to replace these with the New SCCs, which are annexed to the decision.

3. If your proposed restricted transfer is not covered by an adequacy decision nor appropriate safeguards, an exception in the GDPR applies. For example, there is an exception if the individual has given their explicit consent to the restricted transfer or it is necessary to perform a contract you have with the individual. Note, however, that relying on an exception is a last resort option.

The New Standard Contractual Clauses

The draft Implementing Decision explains that the SCCs previously adopted by the Commission needed to be updated and modernised due to new requirements in the GDPR and developments in the digital economy.

The New SCCs combine general clauses with a modular approach, to cater for various transfer scenarios and the complexity of modern data-processing chains. Controllers and processors should use the general clauses and, in addition, select the modules applicable to their situations. The modules vary based on the transfer scenario and designation of the parties under the GDPR and distinguish (1) controller-to-controller transfers; (2) controller-to-processor transfers; (3) processor-to-processor transfers; and (4) processor-to-controller transfers. This approach allows you to tailor your obligations to your corresponding role and responsibility in relation to the data processing at issue.

Other Key Features of the New SCCs

When Will the New SCCs Be Adopted?

The adoption process for the New SCCs requires an opinion of the European Data Protection Board and the positive vote of EU Member States through the comitology procedure (which requires the Commission to consult a committee in which each EU country is represented before it can adopt an implementing act). The final SCCs are expected to be adopted early this year.

©2024 Katten Muchin Rosenman LLP
National Law Review, Volumess XI, Number 64