Authors: Diana Gavra, Irina Oprea
Recently, the European Commission adopted two important decisions regarding the standard contractual clauses for the processing and transfer of personal data in compliance with the General Data Protection Regulation 2016/679 (the “GDPR”), as follows: (i) Decision (EU) 2021/915 on standard contractual clauses between controllers and processors under Article 28(7) of GDPR; and (ii) Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR.
I. The Standard Contractual Clauses between controllers and processors under Article 28 GDPR
The European Commission has adopted a set of standard contractual clauses under Article 28 GDPR (the „DPA SCCs”) for use between controllers and processors that are subject to the GDPR. These DPA SCCs contain the provisions necessary for a data processing agreement under Article 28 GDPR and should not be confused with the standard contractual clauses which are safeguards for the transfer of personal data to third countries, presented below under section II.
As provided by the GDPR, the processing by a processor should be governed by a contract or other binding legal act (the “Data Processing Agreement” or the “DPA”) which should set out the elements listed in Article 28 GDPR: the subject matter and duration of the processing, its nature and purpose, the type of personal data concerned, the categories of data subjects and the obligations and rights of the controller and the processor. The Data Processing Agreement must be concluded in writing, including in electronic form.
The DPA SCCs may be included in a broader contract, and the parties may add other clauses or additional safeguards if they do not directly or indirectly contradict them or prejudice the fundamental rights or freedoms of data subjects.
Through its Decision, the European Commission aims to provide an optional set of clauses that controllers and processors may use to execute DPAs in compliance with Article 28 of the GDPR. Nevertheless, the parties do not have to insert in their DPAs the DPA SCCs approved by the European Commission or by any other EU supervisory authorities in order for their DPA to be valid.
II. The Standard Contractual Clauses for transfer of personal data to third countries
According to the GDPR, transfers of personal data to countries outside the European Economic Area (the „EEA”) which do not ensure an adequate level of data protection must meet certain requirements to ensure that the personal data are protected with the recipient. The current list of countries for which an adequacy decision was adopted (and where no additional safeguards are necessary for the transfer) is available here.
In practice, the most commonly implemented safeguards for such transfer to third countries are the standard data protection clauses.
There are several differences between the old standard contractual clauses – which were adopted under Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data („Old SCCs”) and the new standard contractual clauses – which were adopted as a necessity to adapt to the new technological developments („New SCCs”):
- as opposed to the Old SCCs which provided for the transfer of personal data from an EEA controller to either a controller or a processor outside the EEA, the New SCCs address various transfer scenarios that may occur:
- controller-to-controller,
- controller-to-processor,
- processor-to-(sub-)processor, and
- processor-to-controller.
Also, the New SCCs represent a single set of clauses within a contract, composed of three parts: (i) the general clauses which cannot be modified; (ii) the modules, which can be added/removed from the final contract depending on the qualification of the parties that execute the New SCCs; and (iii) the annexes, which are to be filled in and completed by the parties with relevant information.
- when the data importer is a processor or a sub-processor, the New SCCs cover both requirements set under Article 28 and Article 46 of GDPR and the parties do not have to conclude two separate documents.
- the New SCCs offer strengthened rights for data subjects by entitling them to be informed about the data processing operations in certain cases, to have a means to contact foreign controllers, to receive a copy of the New SCCs concluded, and to be compensated for damages occurred in relation to their personal data. Also, the New SCCs allow data subjects to enforce certain provisions against both the data exporter and the data importer, in contrast to the Old SCCs when the data subjects could enforce third-party beneficiary clauses against the data importer or the sub-processor only if the data exporter had disappeared or ceased to exist by law.
- the New SCCs allow other entities to adhere to the SCCs at any time, as data importers or data exporters.
- the data importer entering the New SCCs commits to the following obligations:
(i) to notify the data exporter if it has reasons to believe that it is subject to laws and practices that prevent the data importer from fulfilling its obligations under the New SCCs; in such case, the data exporter should identify appropriate measures to address the situation, or, if not possible, suspend the transfers;
(ii) to notify the data exporter and the data subjects when receiving legally binding requests from public authorities for disclosure of the personal data transferred, and to provide aggregated information at regular intervals if permissible under the law;
(iii) to challenge the above-mentioned legally binding request if it has reasonable grounds to consider that request unlawful.
III. When will the new sets of clauses become applicable?
The Decision adopting the DPA SCCs will enter into force starting with the twentieth day following that of its publication in the Official Journal of the European Union, which means 27 June 2021.
As for the New SCCs, according to the European Commission, the Decision will enter into force on the twentieth day following its publication in the Official Journal of the European Union. Given the fact that the New SCCs have been published on 7 June 2021, it means that the companies and the organizations can apply the New SCCs starting with 27 June 2021.
The decisions regarding the Old SCCs will not be repealed for a further 3 months period from that effective date (until 27 September 2021). No new contracts based on the Old SCCs can be concluded after 27 September 2021. With respect to the contracts already concluded before 27 September 2021 based on the Old SCCs, they will still be considered valid for a transition period until 27 December 2022, provided the processing concerned remains unchanged and that reliance on the Old SCCs ensures that the transfer of personal data is subject to appropriate safeguards. The parties will have to ensure that they have transitioned to the New SCCs (or adopted other appropriate safeguards for data transfers) by 27 December 2022.
This information is not legal assistance. For further details, please contact us
