On November 12, 2020, the European Commission issued a draft implementing decision on standard contractual clauses (‘SCCs’) for the transfer of personal data pursuant to the EU General Data Protection Regulation (‘GDPR’) together with a new set of SCCs.
The draft decision indicates that the role of SCCs is limited to ensure appropriate data protection safeguards for international data transfers to third countries. The new SCCs will be able to be included within a wider contract and can be supplemented via contractual commitments that supplement the SCCs. Moreover, the SCCs set out in the Annex to the Decision combine general clauses with a modular and dynamic approach, as opposed to the previous SCCs which had to be adopted as is, this in order to cater for different transfer scenarios and the complexity of modern processing chains.
To ensure the provision of appropriate safeguards, the draft Decision states that SCCs should also ensure that the personal data transferred on that basis are afforded a level of protection which is equal to that guaranteed in the European Union.
The draft Decision emphasizes data subjects’ rights, particularly their right to be provided a copy of the SCCs and to be informed of any change of purpose and the identity of the third party to whom such data is disclosed. Additionally, a new interesting proposed element is that data subjects should also be able to invoke and enforce the SCCs as third-party beneficiaries, with the draft Decision indicating that the law of the Member State chosen between the data exporter and the data subject, must allow for such beneficiary rights. For effective enforcement, the data importer should be required to submit to the jurisdiction of the competent authority that the law of a Member State provides and has to abide with any binding decision given in accordance with such law. SCCs should also provide for rules on liability between the parties and in respect to data subjects, as well as rules on indemnification.
Demonstration of compliance with the SCCs should also be done between the parties. In particular, the data importer should be required to keep appropriate documentation for the processing activities under his responsibility. In the situation where the data importer has reason to believe that it is not able to comply with the SCCs, it should notify the data exporter.
Finally, the data importer should also notify the data exporter as well as the data subject, when it receives a legally binding request from a public authority for the disclosure of personal data or becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs.
As for the draft set of new SCCs, they include a set of data protection safeguards which would apply to: (a) a transfer controller to controller, (b) a transfer controller to processor, (c) a transfer processor to processor and (d) a transfer processor to controller.
Notably, the SCCs do not prejudice the obligations of the data exported under the GDPR. Moreover, parties would not be prevented from including clauses that do not infringe on the SCCs or prejudice fundamental rights or freedoms of data subjects.
The SCCs also establish that any agreement between the parties which co-exists with the SCCs, is not to take priority over the SCCs. Indeed, it is the SCCs which would prevail in such a situation.
The draft also establishes guidelines for instances in which the third-country’s local laws would affect the SCCs. The parties must warrant that data protection laws in the third country do not affect the data importer’s ability to fulfill its obligations under the SCCs. The warranty must in turn include, in brief, details on the specific circumstances of the transfer, the laws of the third-country of destination relevant in light of the circumstances of the transfer, as well as any safeguards in addition to those under the SCCs.
In turn, the data importer is to assure the data exporter is provided with the necessary information and further ensure co-operation and compliance with the SCCs. The data importer is also under the obligation to inform the data exporter if a change in a data protection measure or law of the third-country, which would inevitably affect compliance with the SCCs and GDPR, occurred. In this situation, whereby the data importer can no longer fulfil its obligations under the SCCs, the data exporter may either continue the contractual relationship, given that the data exporter implements appropriate measures and safeguards and notifies the competent supervisory authority, or terminate the relationship.
This article was written by Senior Associate Dr Terence Cassar and Legal Trainee Mr Steve Vella.
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.