New developments regarding data transfers to third countries.
The new standard contractual clauses
On June 4, 2021, the European Commission published two new packages of Standard Contractual Clauses (SCCs).
The SCCs have now been updated to the GDPR and are intended to help bridge the gap that has existed since the Schrems II judgment of the European Court of Justice on July 16, 2020 (Schrems II judgement).
The likelihood that the new SCCs will be relevant to your business is high, so this is an issue that you should pay attention to.
Whenever personal data is transferred to a third country, the requirements of Art. 44 ff. GDPR must be observed so that the level of protection guaranteed by the GDPR is not undermined.
One of the tools with which third country transfers can be legally secured are SCCs. The importance of the SCCs increased after the European Court of Justice initially declared the Safe Harbor Regime, with which data transfers between the USA and the EU could be legitimately carried out, null and void in a first decision (Safe Harbor judgement). The main reason for this decision was the lack of adequate legal protection for Europeans in the USA if they wanted to take action against data processing.
A few months after the decision, the politically and economically desired but legally questionable EU-U.S. Privacy Shield was announced as the successor to Safe Harbor. The Privacy Shield was controversial because it did not solve the problem of inadequate legal protection. Subsequently, Privacy Shield was invalidated by the European Court of Justice in the much-noticed Schrems II decision. The court also found that the previous SCCs can still be used for data transfers to countries without an adequacy decision, but that additional guarantees must be agreed to ensure adequate protection. This presented companies with an almost impossible task.
Why is this relevant to you?
Do you know exactly when you or the software products or systems you use transmit personal data to third party? Do you also know where the data may be sent from there? Under certain circumstances, data exports take place in your company that you were previously unaware of and that, if possible, have to be brought on a legally solid basis in addition to the data transfers you are familiar with.
The new SCCs
Depending on the contractual relationship, data exporters can choose from four modules in the SCCs for different scenarios:
- Controller-to-controller transfers (C2C)
- Controller-to-processor transfers (C2P)
- Processor-to-processor transfers (P2P)
- Processor-to-processor transfers (P2C)
Clauses on transfers between two processors and from processors to responsible persons are a useful addition. The SCCs contain various attachments with which the specific situation can be recorded transparently. Also, it is noteworthy that the clauses regulate how requests from authorities in third countries to pass on the personal data transmitted are to be dealt with.
As in the GDPR, the rights of those affected are particularly strengthened in the modernized SCCs. For example, the data importer must notify the data subject if there is a legally binding request from the authorities for their personal data to be released. If the data importer is prevented by the authorities from issuing such notification, he should endeavor to have the prohibition lifted.
The standard contractual clauses meet the requirements of Art. 28 para. 3 and 4 GDPR, so that the view of some German data protection authorities that additional clauses in the case of transfers to processors are needed, is no longer valid.
The new SCCs include liability clauses in the event that data is released without authorization. These were previously optional.
The flexibility of the SCCs is both opportunity and risk. Like the GDPR, they are rooted in a risk-based approach. However, this also means that it is up to the parties to assess the risks for anyone affected. You must assess whether the legal situation and the handling of disclosure requests ensure adequate protection of personal data. If this is not the case, no data may be transferred or additional protective measures must be taken. These can be technical and organizational measures to ensure the security of the data, such as pseudonymisation or encryption.
Three important dates
The following times are relevant for your planning:
- 06/27/2021: The new SCCs go into effect.
- 09/27/2021: The old SCCS will be repealed.
- December 27th, 2022: A 15-month grace period applies from September 27th, 2021: At the end fo December 27, 2022, all old contract that were concluded before September 27th, 2021 must include the new SCCs, i.e. the old SCCs may still be used until then. After that, the old SCCs may no longer be used.
- New contracts: From September 27th, 2021, only the new SCCs can be used.
What should I do?
Your contractual relationships may have to be adjusted within the framework of the time requirements. Do you export personal data or do you work with data
exporters? Are existing contracts sufficient? Have you already become active on “Schrems II”? Do you have situations 3 or 4 that have not yet been previously covered? Note that with regard to existing contracts, it must be checked whether additional guarantees have been agreed and whether these are sufficient. New contracts must be negotiated in good time before the end of the grace period.
In the case of new contracts, it is important that you ensure an adequate level of protection by selecting the options available for action and that you take
action if there is reason to doubt that an adequate level of protection is (still) guaranteed.
As a law firm specializing in data protection and IT law, we are happy to answer all of your questions and support you with your GDPR compliance.