Roxana Ionescu and Mădălina Bucur
Everybody was anyway waiting for the new SCCs ever since the GDPR[1] came into force, but there was heightened urgency in completing these documents after the July 2020 Court of Justice ruling in Schrems II case[2], as such ruling has brought great uncertainty for companies carrying out international transfers.
These new SCCs aim to ensure consistency with the GDPR requirements, as well as to provide specific safeguards following the Court of Justice case law, in particular, on how to deal with binding requests for disclosing personal data from public authorities in the third country where data exporters transfer the personal data.
Companies and privacy professionals now have the important job to understand the new SCCs and find ways to implement them.
We putted together what we consider the first questions regarding the new SCCs companies should be asking while assessing the new SCCs.
When will the SCCs enter into force? | The new SCCs enter into force on 27 June 2021 – the twentieth day following the publication of the Implementing Decision[3] in the Official Journal of the European Union. |
Do the SCCs repeal immediately the prior SCCs? Is there a transition period? | The Implementing Decision provides that the prior SCCs[4] should be repealed with effect from 27 September 2021, which means three months after the Implementing Decision entries into force.
Controllers and processors may continue using the prior SCCs: a. Until 27 September 2021, for new international transfers (i.e., transfers initiated after the Implementing Decision comes into force). After this date, companies are required to put in place the new SCCs or other transfer safeguard according to the GDPR in order to legitimize their international transfers. Companies may encounter certain difficulties implementing the new SCCs in such short period, as the new SCCs are very much different and complex in comparison with the previous ones. In particular, carrying out the risk based assessment approach provided by the SCCs (see more details below) could generate delays depending also on the country where they envisaged transferring the personal data. b. Until 27 December 2022 (i.e., 18 months after the Implementing Decision comes into force), for the performance of contracts concluded between controllers and processors before the repealing of the prior SCCs. This is applicable as long as the processing operations that are the subject matter of the contract remain unchanged and the reliance on the prior SCCs would ensure that the transfer is subject to appropriate safeguards within the meaning of the GDPR. In case processing operations change, companies are required to put in place the new SCCs or other transfer safeguard according to the GDPR in order to legitimize their international transfers. While the Implementing Decision does not provide a specific list with the changes that would trigger this obligation, Recital 24 of the Implementing Decision expressly mentions that such obligation would exist in case of sub-contracting to a (sub-) processor of processing operations covered by the contract. |
To what transfers do the SCCs apply? | The new SCCs cover various transfer scenarios, as follows:
a. C2C transfers, from a controller to another controller (Module One) b. C2P transfers, from a controller to a processor (Module Two) c. P2P transfers, from a processor to another processor Module Three) d. P2C transfers, from a processor to controller (Module Four). This means that companies should select the module applicable to their situation to keep only the relevant obligations according to their role and responsibilities in relation to the data processing in question. The specific clauses related to the selected module will supplement the general clauses that are applicable for all four modules mentioned above. While this particular aspect does not come as a surprise if we consider the draft SCCs presented in November 2020 by the Commission that reflected the same modular design, this approach is new and much better in comparison with the prior SCCs that were applicable only for C2P and P2C. For sure, data exporters and data importers acting as both controllers, as well as data exporters acting as processors and data importers acting as sub-processors would very much welcome these changes that close the circle as to all roles the companies may act in respect to a data processing. The SCCs also set out the rights and obligations of controllers and processors according to Article 28 of the GDPR as regards the C2P transfer or the P2P transfer. This is also a welcomed change since by now companies transferring personal data in third country would need to conclude both the prior SCCs and a data processing agreement / other contract reflecting the mandatory clauses under Article 28 of the GDPR. |
Is a non-EEA data exporter who falls within the GDPR territorial scope able to use the new SCCs? | The exporter not established in the EEA, but who falls within the GDPR territorial scope in accordance with Article 3, may use the new SCCs.
This is another very welcomed change brought by the new SCCs, since the prior ones could be used only by data exporters that were established in the EEA, thus leaving without a possible practical solution non-EEA data exporter who would need to transfer personal data to another non-EEA data importer. |
Is it possible to use the new SCCs in case of data transfers to a non-EEA data importer who falls within the GDPR territorial scope? | Article 1 para. 1 and Recital 7 of the Implementing Decision provide expressly that the new SCCs are to be considered appropriate safeguards within the meaning of the GDPR only in case of data transfers to a non-EEA data importer who does not fall within the GDPR territorial scope in accordance with Article 3.
This means that insofar the non-EEA data importer falls within the GDPR territorial scope, the new SCCs may not be used to legitimize the data transfer to it. The Implementing Decision does not explain the reasoning behind this solution, nor those provide instructions as to whether the said data importer should implement the supplementary safeguards according to the Schrems II judgement. One may interpret such safeguards need to be implemented by default according to the general GDPR requirements to which the respective data importer is subject to. However, companies should undertake an in depth analysis on this particular aspect considering the practical implications of it. The monitoring of potential further clarifications of the European Data Protection Board on this matter is advisable. |
Is it possible for more than two companies to conclude the new SCCs / new companies to adhere to the new SCCs concluded initially between certain companies? | As opposed to the prior SCCs, the new SCCs may be used by more than two parties.
Moreover, additional companies acting as controllers or processors are allowed to accede to the new SCCs as data exporters or data importers throughout the lifecycle of the contract of which the new SCCs would form a part. In this respect, the docking clause (i.e., Clause 7 of the new SCCs) provides that an entity that is not a party to the SCCs may, with the agreement of the existing parties, accede to the SCCs at any time, either as a data exporter or as a data importer. The Implementing Decision and the new SCCs are silent on how the existing parties should provide their agreement for the new party to accede to the SCCs, which may lead to different interpretation / practices across companies. |
How the SCCs address the Schrems II requirements? | One of the innovations of the new SCCs the European Commission referred to when announcing their adoption was that the new SCCs provide an overview of the different steps companies have to take to comply with the Schrems II judgment, as well as examples of possible “supplementary measures” that companies may take, if necessary.
Indeed, there is a hole section that seem to focus specifically on the Schrems II requirements (i.e., Section III), reflecting a risk based assessment approach. This means that the parties to the new SCCs have to warrant that they have no reason to believe that the laws and practices in the third country, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under the new SCCs. In providing the warranty, the parties to the new SCCs have to declare that they have taken due account of several elements, including on the laws and practices of the third country of destination and those requirements regarding disclosing personal data to public authorities or to authorizing access by such authorities. While the provisions detailed above are quite general, without practical insights, there is a footnote in the new SCCs (i.e., No. 12) that seem to bring more light on the matter. According to the said footnote, as regards the impact of such laws and practices on compliance with the new SCCs, the elements the companies may consider may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. It goes without saying that this guidance may prove to be very helpful for companies when carrying out the risk based assessment. Parties to the new SCCs would have to document the risk based assessment they made and provide it to the competent supervisory authority, on request. Additionally, the new SCCs provides obligations incumbent to the data importer to notify the data exporter and, where possible, the data subject promptly in case: a. it receives a legally binding request from a public authority, including judicial authorities, for the disclosure of the personal data transferred or if b. it becomes aware of any direct access by public authorities to the personal data transferred. In cases where the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the new SCCs provide the data importer must agree to use its best efforts to obtain a waiver of the prohibition. As expected, these are probably the provisions the companies would struggle the most to comply with if we take into consideration at least the expertise and the multiple resources the companies need to ensure for compliance with these provisions. The reasons may continue. |
Do companies have the right to amend the new SCCs? | As in the case of the prior SCCs, data exporters and data importers may include the new SCCs in a wider contract and add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the new SCCs or prejudice the fundamental rights or freedoms of data subjects. |
The new SCCs include, of course, many other obligations that should be subject to the companies’ in-depth analysis. The sooner they begin assessing such obligations, the better.
While conducting the assessment, companies should keep an eye on the possible guidance their supervisory authorities / the European Data Protection Board may adopt on the matter.
While this article focuses on the new SCCs, it is worth mentioning that on the same date (i.e., 4 June 2021), the European Commission also announced the adoption of another set of standard contractual clauses to be applicable between controllers and processors according to Article 28 of the GDPR. We will be back with our thoughts on this in the following period.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”)
[2] The judgment of the Court of Justice of 16 July 2020 in Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”). See our views on the Schrems II judgment reflected in article “How not to get (too) hurt by Schrems II judgment for your data transfers?”
[3] Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Implementing Decision”)
[4] Adopted by the Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC and by the Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC (“prior SCCs”)