Whilst businesses within the EU may benefit from the free flow of data across the Community, transfer of personal data to third countries may be conducted on limited grounds and while observing certain additional requirements - adequacy decision for the respective third country, binding corporate rules adopted and approved within a group of companies, and more.
In the absence of an adequacy decision or binding corporate rules, the personal data controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist in implementing standard data protection clauses adopted by the EU Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority.
In this sense, SCCs are an important tool for facilitating data transfers outside the EU, including to the US.
On 04 June 2021, the European Commission adopted two long-awaited new sets of SCCs that controllers and processors may use in their data-related business operations. The new SCCs are aligned with the GDPR (previous ones were created based on Directive 95/46/EC) and can be widely applied as they provide certain solutions with respect to obligations extracted from the Schrems II ruling. In addition, the European Commission firmly states that these SCCs are adopted with consideration towards the technological advancement, but also observing the protection of the rights of data subjects vested through the GDPR.
When it comes to data transfers, all participants in the process may use the SCCs, regardless of their capacity. SCCs may be integrated in a controller-controller or controller-processor relationship, and also in agreements with data related subcontractors.
However, the possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority, does not prevent controllers or processors from including the standard data protection clauses in a wider contract or from creating additional safeguards for the data flow by contractual mechanisms (of course to the extent that such mechanisms do not contradict the standard contractual clauses or other fundamental rights of data subjects). The GDPR in its Preamble indicates that “controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses”.
The newly adopted SCCs aim to cover all directions of data flows from and to the EU. It is considered that the SCCs provide sufficient safeguards for data transfers between exporters of data (controllers and processors that are bound by the GDPR) and importers (controllers, processors or subcontractors that are not bound directly by the GDPR).
However, the SCCs are not a free pass for transferring data outside of the EU. Even if SCCs are in place between controllers/processors, data transfer may still be prohibited by a supervisory authority in case it establishes that there are legal or other matters that prevent the non-EU data recipient from ensuring the practical implementation of the safeguards provided by the SCCs.
As expected, the new SCCs explicitly state that they provide sufficient safeguards for non-EU data transfer only in case there are no amendments. This continues the previous line of the European Commission, aiming to mitigate the risk of controllers/processors using legal techniques to circumvent the approved SCCs.
In terms of structuring, the newly adopted SCCs are conveniently divided into several modules aiming to cover different aspects of data transfers, namely:
✓ from controller to controller (C2C)
✓ from controller to processor (C2P)
✓ from processor to processor (P2P)
✓ from processor to controller (P2C)
Тhere are also certain modules that regulate the use of subcontractors.
In general, the new SCCs (in all their modules) impose a higher applicability of the transparency principle under the GDPR, where data subjects should be provided with sufficient information regarding the path of their personal data – including to receive a copy of the SCCs. The SCCs also contain a reflection of the data minimization and purpose limitation principles.
As expected, the SCCs also dedicate special attention to the technical and organizational measures in consideration of the greater amount of personal data that is transferred to the data importers via digital channels, thus making them vulnerable to unlawful interception. The spotlight also falls on the exercise of rights by data subjects.
The decisions approving the old SCCs will be revoked after three months as of the entry into force of the decision for the new SCCs.
The main question for the stakeholders is what will happen with the agreements signed under the old SCCs. The new SCCs will have a transitional period for coexistence with the old SCCs. Controllers and processors will be entitled to continue transferring data for 15 months under the old SCCs. During the transitional period, businesses and their partners will have to migrate to the new rules.