New standard contractual clauses on data transfer: what consequences on your contracts?

On June 4th, 2021, the European Commission published new standard clauses for the transfer of personal data to third countries.

What are the consequences on your contracts involving data transfer outside the European Union?

GDPR’s emphasis on standard contractual clauses

The General Data Protection Regulation (GDPR) of April 27th, 2016, frames in particular the transfer of personal data to countries outside the European Union¹ or the European Economic Area².

A transfer of personal data to a third country can occur when the Commission has issued an adequacy decision, i.e. when the Commission has recognized that the third country ensures an adequate level of data protection.

In the absence of such decision, for a transfer of personal data to be carried, it is the responsibility of the controllers or processors to ensure that they offer a sufficient and appropriate level of data protection. To this end, they can regulate such transfers by using standard contractual clauses defined by the European Commission.

 

Schrems II decision leading to the drafting of new standard contractual clauses

In its Schrems II decision of July 16th, 2020, the Court of Justice of the European Union invalidated the “Privacy Shield” agreement which until then had allowed data to be transferred to the United States, considering that the American regulations did not meet the necessary requirements.

As a result of this decision, the Privacy Shield can no longer serve as a basis for transferring personal data from the European Union to the United States. The Court also stated that the Standard Contractual Clauses do not sufficiently address the problems raised by the transfer to the United States.

The new standard contractual clauses now require the data exporter to take into account the legislation applicable to the data importer in order to determine whether the standard contractual clauses will be fully effective or whether they will need to be complemented by additional protective measures.

 

The modifications implemented

The new contractual clauses cover four types of transfers:

– Transfer from controller to controller (Module 1);

– Transfer from controller to processor (Module 2);

– Transfer from processor to processor (Module 3);

– Transfer from processor to controller (Module 4).

The former standard contractual clauses only provided for the first two transfer scenarios.

From the data subjects’ perspective, their rights over their data are more detailed.

These new Standard Contractual Clauses include a new third party beneficiary clause allowing a third party to join the contract provided that the original parties express their agreement and that there is a written document. The adhering entity then obtains the rights and obligations of a data exporter or data importer, as designated. However, it has no rights or obligations for the period prior to its accession.

The previous standard contractual clauses already listed the rights of data subjects such as the right of access, the right to erasure or the right to rectification of inaccurate or incomplete data, but the new clauses go into more detail on these rights, such as the right not to be subject to automated processing, or the right to object in case of data processing for direct marketing purposes.

The new standard contractual clauses ensure more transparency. A copy of the clauses will be made available to the parties. They also guarantee the security of processing. They respect a logic of compliance or accountability since the parties will have to retain documents to demonstrate compliance with the processing rules.

 

Geographic scope

These new clauses can be used by controllers or processors who are not established in the European Union, but who carry out processing operations subject to the GDPR.

 

What are the next steps?

As from September 27th, 2021, organizations entering into new contracts will have to use the new standard contractual clauses. Organizations that applied the previous clauses before this date will still have a transition period of 15 months, until December 27th, 2022, to review their contracts and implement the new clauses.

 

***

The standard contractual clauses are available on the European Commission’s website.

¹ Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.

² EU + Island, Liechtenstein, Norway.

 

Contact: Stéphanie Berland, Partner head of IP/IT/Data Department