Extra-EU data transfers: the new standard contractual clauses

published on 21 June 2021 | reading time approx. 3 minutes

The European Commission has ruled that with effect from 27 September 2021, new contracts agreed must be implemented on the new standard contractual clauses (known as SCC), in case they involve transfers of data outside the EU.

What it is about

On 4 June 2021 the European Commission has adopted the implementing decision (EU) no. 2021/914 which established on one hand that new contracts agreed must be implemented on the new standard contractual clauses (known as SCC), in case they involve transfers of data outside the EU, and on the other hand that contracts concluded before 27 September 2021 on the basis of Decision 2001/497/EC or Decision 2010/87/EU shall be deemed to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 until 27 December 2022, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.

Then, from 27 December 2022, contracts will be modified and updated in compliance the new SCC.

Parties are free to include those standard contractual clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects. In the event of a contradiction, also related to entered into thereafter, these standard contractual clauses shall prevail.

According to the CJEU's judgment of July 16, 2020 (Schrems II), the standard contractual clauses should ensure a level of protection essentially equivalent to that guaranteed within the EU. Therefore, the law of the data importer (Third Country) must be evaluated, in order to consider the eventual implementation of a DTIA in addition to the new SCC.

More specifically, these standard contractual clauses provide  as follows:

• information: provide data subjects with information about the fact that it intends to transfer their personal data to a third country pursuant to Article 13(1)(f) and Article 14(1)(f) of GDPR;
• rights: data subjects should be able to invoke, and where necessary enforce, the standard contractual clauses; therefore, the law of one of the Member States governing the standard contractual clauses must allow their rights;
• individual redress: the standard contractual clauses should require the data importer to inform data subjects of a contact point and to deal promptly with any complaints or requests. The data subject should be able to lodge a complaint with the competent supervisory authority or refer the dispute to the competent courts in EU;
• jurisdiction: the data importer should be required to submit to the jurisdiction of such authority and courts, and respects any binding decision under the applicable Member State law;
• representation: data subjects should be allowed to be represented by associations or other bodies in disputes against the data importer if they so wish;
• compensation: where the data subject suffers material or non-material damage, he or she should be entitled to compensation;
• transfer to a data importer acting as a processor or sub-processor: a procedure for general or specific authorisation and the requirement for a written contract with the sub-processor are required;
• accountability: the parties should be able to demonstrate compliance with the standard contractual clauses;
• failure of data importer: if the data exporter receives notification or becomes aware that the data importer is no longer able to comply with the standard contractual clauses, it should identify appropriate measures to address the situation, if necessary in consultation with the competent supervisory authority, until to suspend the transfer or terminate the contract, in serious cases;
• adequacy of the Third Country: the laws of third country must not interfere with compliance with the standard contractual clauses. Verification must be carried out for the entire duration of the contract.

What to do

Considering the Decision, we suggest you to proceed as follows:

Regarding contracts already entered into force

• Maintain existing contracts for current transfers set out on the previous SCC valid until to December 27, 2022, if treatments remain the same. Additionally, a Data Transfer Impact Assessment ("DTIA") will be signed, if not yet implemented;
• Modify and update in compliance with the new SCC contracts already stipulated but with expiration date in a short term providing also a DTIA, if applicable and based on the analysis related to the level of protection of the law of data importer;
• Assess all existing contracts involving transfers in progress by December 27, 2022 and adequate all these agreements in compliance with the new SCC providing a DTIA, if applicable and based on the analysis related to the level of protection of the law of data importer;

Regarding new contracts

• From September 27, 2021 annex to new contracts involving transfers of personal data the new SCC providing also a DTIA, if applicable and based on the analysis related to the level of protection of the law of data importer;
• Before entering into an agreement under the new SCC, identify privacy roles and the applicable module of transfer among the four cases ("module") identified by the European Commission and apply the specific provisions (from Articles 8 to 18) of the standard contractual clauses.

The Decision – which can be read at the following link -  is composed by the following Annex:

• Annex Standard Contractual clauses set forth with general rules under articles 1-7 and specific clauses (articles 8-18), to focus on the four particular module indicated by the European Commission, as follows:
1.  Transfer controller to controller ("module one");
2.  Transfer controller to processor ("module two");
3.  Transfer processor to processor ("module three");
4.  Transfer processor to controller ("module four").
• Appendix regarding an explanatory note: "[…] This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used".
• Annex I rules the list of parties and the description of transfer, as well as the competent supervisory authority (applicable to module one, module two and module three);
• Annex II – technical and organisational measures including technical and organisational measures to ensure the security of personal data (applicable to module one, module two and module three);
• Annex III – List of Sub-processors (applicable to module two and module three).