Replacement Standard Contractual Clauses (SCCs): European Commission publishes final text
Written By
On 4 June 2021, the European Commission published its final Implementing Decision adopting new standard contractual clauses for the transfer of personal data to third countries (“Clauses”). This follows the draft implementing decision and clauses issued by the European Commission for consultation on 12 November 2020 (“Consultation Draft”). The Implementing Decision will be effective on the 20th day following its publication in the Official Journal of the EU (“OJEU”), meaning that the Clauses can be used from 27 June 2021. The Clauses tackle 3 key points:
- they address known deficiencies in the current standard contractual clauses – catering for data transfers involving multiple parties and from processors to sub-processors and from EU processors back to their instructing controller;
- whereas the current standard contractual clauses allow the parties to meet obligations equivalent to those in the repealed Directive 95/46 (“Data Protection Directive”), the Clauses are consistent with the General Data Protection Regulation (“GDPR”); and
- the Clauses respond to the Schrems II judgement.
How do the Clauses compare to the Consultation Draft?
The Clauses are very similar to the Consultation Draft
Organisations who had already started to give thought as to how they would transition to the Clauses will be relieved to hear that the Clauses are similar in form and substance to the 12 November 2020 draft. The most significant changes are to introduce a longer transitional period and to add more detailed drafting on dealing with local laws and practices affecting compliance with the Clauses.
There is a longer transitional period
As noted above, the Commission Implementing Decision will be effective on the 20th day following its publication in the OJEU. The Clauses have been published in the OJEU on 7 June 2021 (see here). This means that the Clauses can be used from 27 June 2021. However, the Commission decisions approving the current standard contractual clauses will not be repealed for a further 3 months from that effective date. There is also a transitional provision, stating that contracts using the current standard contractual clauses will provide appropriate safeguards[1] for data transfers for 15 months from that effective date.
This means that:
- Strictly speaking, organisations can start using the Clauses from 27 June 2021
- Organisations don’t have to start using the Clauses then. Exporters and importers can continue signing the existing standard contractual clauses for a further 3 months: but after that date (i.e. 27 September 2021), no new contracts can be signed using the existing standard contractual clauses
- Data exporters and data importers then get 18 months from the effective date of the Implementing Decision (i.e. until 27 December 2022) to replace contracts using the current standard contractual clauses with the Clauses - unless the actual underlying processing operations change, in which case the Clauses should be used from that point on.
There is more guidance on local laws and practices affecting compliance
The Consultation Draft contained a warranty that the parties have no reason to believe that local laws and practices in the importer’s country would prevent the importer from complying with its obligations under the Clauses. In giving this warranty the parties must take account of certain stipulated factors. This is retained in the Clauses but with important additional guidance – in a footnote - on factors to take into account. The footnote says that if the parties wish to rely on their “practical experience” of public authority access to data, this “needs to be supported by other relevant, objective elements”. The parties should check if their experience is corroborated by publicly accessible and reliable information about public authority requests to access personal data - for example via case law or reports of independent oversight bodies. The European Data Protection Board (“EDPB”) draft Recommendations on Schrems II issued in November 2020 suggest that it is not possible to take this type of practical experience into account at all – so the fact that this remains in the final Implementing Decision – with helpful suggestions on ways to make this assessment as robust as possible – is very helpful for exporters and importers. Note that the EDPB is expected to release the final version of its Recommendations on Schrems II by mid-June.
The Clauses also contain slightly amended provisions setting out what the importer must do if it receives a request from a public authority to access transferred personal data – stating that the importer must challenge the request if there are reasonable grounds to consider it unlawful – either under the law of the importing country, or taking into account obligations under international law and principles of international comity; where appropriate the importer must also exhaust appeal routes.
There is a lot of other red-line
Readers may have seen (with considerable gratitude) the unofficial red-line published on LinkedIn by Christopher Schmidt – and noticed the extent of the changes. There are, of course, more changes than the two we’ve listed above. Some of the more “commercial” provisions in the Consultation Draft (such as addressing costs for audit) have been removed. The Consultation Draft also contained a provision stating that a controller importer must notify the data subject of the identity of all third parties to whom it transferred personal data – this has been removed, and the controller importer must now only provide details of recipients, or categories of recipients of personal data.
The majority of the changes are, however, stylistic – correcting prepositions; removing split-infinitives etc … Eagle-eyed readers may also have noted that the Implementing Decision uses data as a singular noun and a few stray occasions of data in the plural have been corrected; there can be strong opinions on this point, so we are expecting comment saying we should have listed this as a significant change!
What do the Clauses cover?
The Clauses can be used for transfers:
- From a controller to another controller (C2C)
- From a controller to a processor (C2P)
- From a processor to a processor (P2P)
- From a processor to its appointing controller (P2C)
The Clauses can be used whenever the exporting party is subject to the GDPR – even if the data exporter is not established in the EU [2] . If a controller is subject to the GDPR on an extra-territorial basis, for example, because it is apparent that it intends to offer goods and services to data subjects in the EU (i.e. Art. 3 (2)(a) of the GDPR), and that controller wishes to transfer EU personal data to a processor, it could now use the Clauses to do this.
The Clauses can also be used by multiple parties and include arrangements for new parties to accede to them via a “docking clause” (i.e. mechanism which allows new parties to accede to the Clauses in case of changes over time). They could, therefore, for instance be useful for intra-group data transfers if a new subsidiary is set up, which needs to “sign on” to intra-group data transfer arrangements with its overseas parent company.
What don’t the Clauses cover?
The Clauses can only be used where the data importer is not subject to the GDPR. This may sound an odd point. If the recipient of data is in the EU – of course – the Clauses won’t be necessary. But what is the situation if an EU based exporter transfers personal data to an organisation that is outside the EU, but to whom GDPR applies on an extra-territorial basis? For example, this would be the case if an EU based publisher transfers personal data to an ad-tech company established outside the EU. Is this an international transfer of personal data which is restricted by Chapter V of the GDPR? The EDPB is currently considering the point and this is likely to be addressed in an upcoming opinion entitled “Territorial scope (Article 3) of the GDPR and its interplay with Chapter V”. The Clauses have an oblique reference to this question – recital 7 notes that that the Clauses are for use “without prejudice to the interpretation of the notion of international transfer in Regulation (EU) 2016/679. The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679”. It is not clear if this is a transfer; but if it is, it is clear that these Clauses aren’t the answer.
The Clauses don’t cover transfers of personal data to which the UK version of the GDPR applies. This is because post-Brexit UK data protection legislation only references the standard contractual clauses which were approved as at 31 December 2020. The UK supervisory authority, the Information Commissioner, has said that her Office will consult on new, UK specific, data transfer agreements this summer and that it is considering if there is value to the UK in recognising the Clauses.
What could the Clauses do better?
The docking clause concept, to allow for new parties to join, is helpful. However, the mechanism by which new parties join is not clear. The Clauses say that – “by agreement of the Parties” - the new party may accede by completing a new data transfer Appendix and signing Annex I.A. It is not clear how the existing parties would give agreement – the Clauses seem to anticipate that there will be one physical copy of the Clauses, so that the new party would only be able to sign if the one true-copy is sent to it. However, in practice, multi-party agreements are signed with counterparts clauses which undermines this assumption. Further, any mechanism which requires multiple existing parties to sign agreement will quickly become unwieldy and undermine the welcome flexibility which this introduces.
As noted above, the Implementing Decision removed many of the “commercial” provisions which had been included in the Consultation Draft – for example, allocating costs for audits; providing that indemnities are only triggered if a party gives notice of a claim and co-operates with the party giving the indemnity. Data exporters and importers will often want to negotiate supplemental commercial terms addressing these points – however, it is probably sensible for the Commission to leave this to the parties themselves to negotiate.
How do the Clauses deal with Schrems II?
The Clauses are drafted to take account of, and work, with the Schrems II judgment. As one would expect, the Implementing Decision refers extensively to the judgment.
The Clauses retain the principles in the current standard contractual clauses, which were considered positively by the CJEU in Schrems II, and which were the basis for the CJEU’s decision that the SCCs should remain valid. These principles are:
- an obligation on the data exporter (assisted by the data importer) to consider the level of protection of personal data in the third country;
- an obligation on the data importer to notify the data exporter of any inability on the part of the data importer to comply with the standard contractual clauses; and
- a corresponding obligation on the exporter to suspend data transfers or terminate the agreement.
The current standard contractual clauses allow the exporter to notify the supervisory authority if it continues to transfer personal data having received such a notice; this provision had been included in the Consultation Draft, but was removed from the Clauses.
The Clauses incorporate further elements from Schrems II. In particular, transfer impact assessments shall be carried out and made available to the competent supervisory authority on request (clause 14). The Clauses set out the factors that the data exporter (with the mandated help of the data importer) must consider in a transfer impact assessment. In addition to considering the law and practice in the third country, the Clauses also helpfully reference i.a. the length of processing chain, the number of actors involved and transmission channels used; the type of recipient and details of onward transfers; purpose of the processing and the nature of the data transferred; as well as the format of the transferred data and the relevant economic sector concerned in which the transfers occur and the storage location of the data transferred.
The Clauses also include stronger commitments on the data importer vis a vis attempts by public authorities in the third country to access EU originating personal data. The data importer must – where possible- notify both data exporter and data subject(s) that it has received a request by a public authority to access such data (and public authorities are defined as including judicial authorities); it must assess the legality of any such order by reference to the law in force in the third country and international commitments and, where it considers it has grounds to challenge the order, it must do so; where possible it must seek an interim measure to suspend any requirement to disclose data while the challenge is pending; it must also disclose the minimum amount of personal data reasonably possible in response to an order. The data importer must document these requests and the steps it follows and make these available to the exporter. It must also prepare a transparency report (i.e. more general information about the nature of requests received).
The Commission has not included all of the EDPB’s suggested supplementary measures mentioned in the EDPB draft Recommendations on Schrems II: in particular, the suggestions relating to “warrant canaries” and “no-backdoor warranties” have not been included. The requirement in the Clauses that the data importer should document requests and make documents available to the exporter can be found in the EDPB’s draft list of organisational measures; as can the requirement that a processor importer should apply access controls to personal data strictly, only allowing access to personal data where strictly necessary to perform or manage the contract. The Annex II of technical measures could also include references to encryption or pseudonymisation; again, methods recommended in suitable cases by the EDPB in its draft Recommendations on Schrems II.
How do the Clauses provide a GDPR-upgrade for data importers?
The existing controller to controller SCCs require the controller importer to agree to follow data protection principles based on those set out in the Data Protection Directive. The Clauses include new obligations in line with GDPR. Transparency obligations are included. Access, erasure and rights to object to processing for direct marketing are also included as are restrictions on automated individual decision making. One of the innovations of GDPR was to include an accountability principle and both controllers and processors have to agree to demonstrate their compliance with the Clauses; processors also have to keep records of the processing which they carry out on behalf of the controller.
However, the Clauses do not seek to impose obligations which are identical to those in GDPR. Controller importers do not have to agree to implement portability or restriction. Similarly, the Clauses are not (generally) prescriptive as to how accountability is achieved – so the specific provisions in GDPR relating to records of processing activity and data protection impact assessments are not included.
What do the Clauses look like?
Because the new Clauses address C2C, C2P, P2P and P2C transfers, they look very different to the current SCCs – where there are separate, free-standing, agreements for each type of data transfer. The Clauses contain certain content which is applicable to all situations – for example, introductory provisions, provisions on non-compliance and termination. They also contain modular content which is only applicable to that specific type of transfer (C2C, C2P, P2P or P2C). As a result they feel very different to the current SCCs – practitioners will need some time to get used to them.
The structure of the Clauses is as follows:
|
Section 1 |
general |
general introductory provisions, third-party rights, interpretation, hierarchy, details of transfers covered, accession mechanism |
|
Section 2 |
modular |
substantive data protection obligations; redress, liability, indemnification, supervision |
|
Section 3 |
general with edits |
local laws and practices affecting compliance with the Clauses |
|
Section 4 |
general with edits |
non-compliance &termination, governing law and jurisdiction |
For those who want a deeper analysis of the Clauses, the table below sets out a full summary and also shows how the modular provisions compare to each other. For brevity, in the table, we have used “DS” for data subject and “SA” for supervisory authority.
|
Section I |
|||
|
Clauses 1 - 7: purpose and scope purpose to ensure compliance with GDPR; statement that can agree extra provisions so long as these do not contradict the Clauses or prejudice rights of DSs; inclusion of 3rd party beneficiary rights; definitions in GDPR apply; in the event of a contradiction between the Clauses and other agreements the Clauses shall prevail; Annex I.B specifies the applicable transfers; optional accession mechanism. |
|||
|
Section II: obligations of the parties |
|||
|
Clause 8: data protection safeguards (≈data protection principles) |
|||
|
C2C |
C2P |
P2P |
P2C |
|
- |
Instructions: processor importer to process only on documented instructions of controller exporter. Processor importer must immediately advise controller exporter if cannot follow instructions. |
Processor exporter to inform processor importer that it acts under instructions of controller(s); details of instructions to be provided.
Processor importer to process only on documented instructions from controller(s) as supplemented by non-conflicting instructions from processor exporter. Processor importer must advise if cannot follow instructions and processor exporter must notify controller (s). |
Processor exporter to process data only on instructions from the controller importer. Processor exporter to notify controller importer if it is unable to follow instructions. Controller importer to refrain from any action that would prevent processor exporter from fulfilling its obligations under GDPR – e.g. as regards co-operation with SAs. Processor exporter to delete or return data at end of processing at choice of controller importer. |
|
Purpose limitation: controller importer not to process personal data for any purposes incompatible with those in Annex I.B, without DS’s prior consent, or where necessary for legal claims or to protect vital interest of DS or another person. |
Importer only to process data for specific purposes of transfer as per Annex I.B. |
N/A |
|
|
Transparency: controller importer must inform DSs, directly or indirectly, of its identity & contact details; any change in purpose; if data disclosed to any 3rd party, categories of 3rd party and purpose of disclosure. Exemption where DS already has the information or where notice would be impossible or involve disproportionate effort. In this case, must post a publicly available privacy notice with the information. Parties to provide clauses to DS on request.
|
Parties to provide copy of clauses to DS on request. |
N/A |
|
|
Ongoing data accuracy commitment on parties; notification of inaccuracy to each other; data minimisation obligation on controller importer.
|
Importer to notify exporter if aware of inaccuracy. Importer to co-operate to rectify. For P2P, must also notify and co-operate with controller(s). |
N/A |
|
|
Storage limitation obligation on controller importer.
|
Storage limitation obligation on importer at end of which must return or delete data – notwithstanding any requirements under local law which prohibit this. In that case, must guarantee continued protection and only process as required by such local law. |
N/A |
|
|
Security obligation – on both parties during transmission and on importer once received. Security measures applicable to controller importer to be specified in Annex II. Controller importer to ensure personnel under obligation of confidentiality. Personal data breach reporting obligation on controller importer if personal data breach likely to result in (i) a “risk” to DS (to controller exporter and SA) and (ii) to DS if “high risk”. Notice to controller exporter and competent SA and to DS, if necessary in conjunction with controller exporter (exemption for disproportionate effort, subject to making a public notice). Controller importer must document personal data breaches and remediation.
|
Security obligation as per C2C but if pseudonymisation is used, additional information to identify – where possible – to remain under exclusive control of exporter. Importer to implement toms specified in Annex II.
Importer only to allow access to personal data to personnel where “strictly necessary” for contract & subject to appropriate confidentiality.
Personal data breach obligations in line with GDPR. For P2P, importer to notify controller(s) where appropriate; assistance obligations to enable processor exporter to meet its obligations to assist the controller(s) under the GDPR. |
Parties to ensure security of data during transmission. Processor exporter to assist controller importer in meeting security obligations & to ensure personnel under appropriate confidentiality obligations. |
|
|
Special categories of personal data – controller importer to apply specific restrictions. |
Special categories – importer to apply specific restrictions listed in Annex I.B |
N/A |
|
|
Onward transfers: permissible if 3rd party is bound by these Clauses; or adequate safeguards provided per GDPR arts. 45 – 47; or 3rd party and controller exporter enter into binding instrument providing same level of protection as the Clauses and controller importer provides a copy of this to controller exporter; necessary for legal claims or for vital interests of DS or another natural person; or explicit consent of DS + notice to controller exporter (last resort provision). |
Onward transfers only per instructions of the exporter (or for P2P, of the controller(s)). If in a third country only if: per Arts. 45 – 47 GDPR; or if 3rd party agrees to be bound by these Clauses; necessary for legal claims for vital interests of DS or another natural person. |
N/A |
|
|
Processing to be under authority of controller importer. |
N/A |
N/A |
|
|
Accountability: parties to be able to demonstrate compliance. Controller importer to make documentation available to competent SA on request. |
Importer to deal with queries from exporter (or for P2P, processor exporter or controller(s)).
Parties to be able to demonstrate compliance – in particular, importer to have documentation on processing carried out on behalf of the exporter. Importer to make available information necessary to demonstrate compliance, and to agree to audit or to rely on an independent audit organised by the importer – to include on premise inspection on reasonable notice. Audit results and other information to be available to supervisory authority on request. For P2P accountability etc obligations owed to processor exporter and controller (s). |
Parties to be able to demonstrate compliance. |
|
|
Clause 9: use of sub-processors |
|||
|
N/A |
Restrictions on sub-contracting without authority of exporter. Options included for specific prior authorisation or general written authorisation, on the basis of notice given in sufficient time to allow the exporter a right of objection and based on attached list of sub-processors (from an agreed list). Importer to provide copy of sub-processor agreement on request. Importer to be responsible for acts of sub-processor. Sub-processing clause to have 3rd party beneficiary clause whereby exporter is third party beneficiary to contract in event of bankruptcy of importer – including a right to require deletion or return of data. In P2P clauses, authorisation has to be given by the controller(s). Third party rights in the event of insolvency etc.. of importer are to be exercisable by the data exporter. |
N/A |
|
|
Clause 10: data subject rights |
|||
|
Controller importer to deal with and to facilitate exercise of DS rights. Obligation to provide information in intelligible and easily accessible form, using clear & plain language. DS rights correspond to rights of transparency and access (including to information in Annex I), rectification, and erasure under GDPR and rights to object to processing for direct marketing purposes. There is no obligation to support portability or restriction or to allow a general right to object to processing based on legitimate interest or performance of a task in the public interest. There are restrictions on use of automated individual decision making, which are comparable to those under GDPR. There are derogations for requests which are excessive or where refusal is allowed under the laws of the 3rd country & in line with Art. 23 GDPR restrictions (i.e. derogations). Controller exporter must inform DS if it refuses a request. |
Obligation for importer to notify exporter of request it receives directly from DS.
Obligation for importer to assist exporter, in line with Art. 28 GDPR. For P2P, processor importer must notify controller(s) where appropriate and must assist controller(s).
For C2P, Annex II to set out TOMS by which processor will assist controller to comply with DS rights. |
Further assurance provision. |
|
|
Clause 11: redress |
|||
|
Importer to provide contact point for complaints (either by direct notice or website). Complaints to be handled promptly. Optional provision for importer to agree that complaints can be lodged with independent dispute resolution body. |
|||
|
Obligation to keep parties informed and to co-operate in resolution. If DS invokes 3rd party beneficiary rights, data importer accepts decision of DS either to complain to a SA; or to refer the dispute to the competent courts. Parties agree that DS can be represented via representative actions under art. 80 GDPR (e.g. actions by NOYB etc). Importer agrees to abide by decision binding under EU/Member State law. |
N/A |
||
|
Clause 12: liability & indemnification |
|||
|
Each party liable for damage caused. Each party liable to DS for damage it causes. For C2P and P2P transfers, exporter also liable to DS for damage caused by exporter or importer. If more than one party is responsible for damage, then parties are jointly & severally liable to DS. Importer cannot avoid liability by blaming actions of a processor or sub-processor. Exporter’s liability under GDPR not affected by above provisions. Where transfer is P2P, controller’s ultimate liability to DS also not affected by this. If one party is held liable for a breach caused by another, it can claim back liability corresponding to the party’s part of responsibility. |
|||
|
Clause 13: supervision |
|||
|
Importer to agree to submit to jurisdiction of competent SA and to respond to inquiries, submit to audits by and comply with measures adopted by the SA, including remedial and compensatory measures. The competent SA will be the SA which is competent in relation to the exporter. If the exporter is not established in a Member State, but GDPR is applicable on an extra-territorial basis by virtue of Art. 3(2), then the supervisory authority of the Member State where a representative is appointed, or if there is an exemption from the need to appoint an EU rep, where DSs are, whose data is transferred shall be competent. |
|||
|
Section III: local laws & obligations in case of access by public authorities |
|||
|
Clause 14: local laws affecting compliance with the Clauses (only applicable in P2C if EU processor combines personal data with data collected by processor in the EU) |
|||
|
Parties warrant no reason to believe applicable laws & practices of importing country – in particular re: access by public authorities - would preclude importer from compliance. Warranty to take into account that laws and practices that respect the essence of the right are not in contradiction with the Clauses. Warranty to be given after taking due account of specified factors – about the particular transfer; the laws and practices; the safeguards in place. Footnote noting that subjective assessments based on experience of parties must be balanced by objective elements, such as case reports or independent oversight body reports. Importer to assist exporter in making assessment. Assessment to be documented and available to SA on request. Importer to notify exporter if believes now subject to requirements not consistent with warranty. Exporter then to identify appropriate measures or, if none, to suspend transfer. |
|||
|
Clause 15: obligations in case of access by public authorities (only applicable in P2C if EU processor combines personal data with data collected by processor in the EU) |
|||
|
Importer to notify exporter and DS (where possible and if necessary with help of exporter), if it receives a legally binding request for disclosure of personal data by a public authority in the 3rd country, or if it becomes aware of direct access by public authorities in the 3rd country to personal data transferred pursuant to the Clauses. Processor exporter must forward the notification to the controller. If local law prohibits notification to exporter/ DS, importer agrees to use best efforts to obtain a waiver of the prohibition and to communicate as much as possible. Importer to document its best efforts so it can demonstrate them on request of exporter. Importer to provide exporter, at regular intervals, with the greatest possible amount of relevant information on requests received – e.g. number of requests, type of data requested and requesting authority, if challenged and outcome. All to be as permissible under law of 3rd country. Exporter processor to forward above to the controller. Importer to preserve records of the above and to make available to competent supervisory authority on request. Importer must comply with these provisions irrespective of any notice to exporter advising it that it cannot comply (yes, really). Importer to assess requests for data to confirm legality; if there are reasonable grounds to challenge under 3rd country law/ international law, importer to do so, including via appeal on similar basis. Importer to seek interim measures to suspend effects of the request until court has decided on the merits. Importer not to disclose personal data until required to do so under applicable procedural rules. Importer to provide minimum amount of information permissible in response to a request. Importer to document legal assessment and challenge and – to extent permissible under 3rd country law – to make available to exporter and to competent supervisory authority on request. Processor exporter to forward above to the controller. |
|||
|
Section IV: final provisions |
|||
|
Clause 16: non-compliance and termination |
|||
|
Importer to inform exporter if unable to comply with the Clauses. If importer is in breach or unable to comply, exporter shall suspend transfer or terminate contract. Exporter entitled to terminate if suspension continues for more than one month, for substantial or persistent breach by importer, or failure by importer to comply with binding decision of court or competent SA. Exporter must inform competent SA of any such non-compliance (and processor exporter must notify controller). In event of termination, data to be deleted or returned. (For P2C – deleted not returned). If importer has to keep data to meet 3rd country law, it will continue to ensure protection for personal data and only process for so long as required under local law. Party(ies) can revoke agreement to be bound by clauses if an adequacy decision is adopted or if GDPR becomes part of the legal framework of the 3rd country. |
|||
|
Clause 17: governing law |
|||
|
Clauses to be governed by law of one of the Member States, provided that law allows for 3rd party beneficiary rights. Parties to specify the Member State. For C2P or P2P only, parties may select for Clauses to be governed by law of the Member State where the data exporter is established, provided this allows for 3rd party beneficiary rights. (Note that the requirement that the Member State law must allow for 3rd party beneficiary rights may mean that Irish law cannot be selected, where there is uncertainty over third party rights). P2C may select any governing law so long as third party rights allowed. |
|||
|
Clause 18: forum and jurisdiction |
|||
|
Disputes to be resolved by courts of any Member State. Parties to specify which Member State this is. DS may also bring proceedings in courts of Member State where the DS has his/ her habitual residence. Parties agree to submit themselves to jurisdiction of courts of Member States. P2C – jurisdiction to be specified (not necessarily Member State). |
|||
|
Annex I |
|||
|
C2C |
C2P |
P2P |
P2C |
|
A: list of parties |
|||
|
Name, address, person’s name, position and contact details, signature and date Description of activity relevant to the transfer For exporter to include details of DPO and/or EU representative |
|||
|
|
|
Note that the requirement to include identity and contact details of controller suggested in the Consultation Draft has been removed from the Clauses |
|
|
B: Description of transfer |
|||
|
Categories of data subjects and personal data Details of any special category data (if any) Frequency of transfer Nature of processing Purposes of transfer and further processing Maximum retention periods (if any)/ criteria to determine For transfers to (sub) processors, annex to reflect instructions from the controller and the subject matter, nature and duration of processing |
|||
|
C: competent supervisory authority |
|||
|
To be identified in accordance with clause 13 |
|||
|
Annex II: technical and organisational measures (including to ensure security) |
|||
|
C2C |
C2P |
P2P |
P2C |
|
This annex sets out the instructions from the controller(s) and the measures to provide assistance to the controller |
N/A |
||
|
Annex III: list of sub-processors |
|||
|
C2C |
C2P |
P2P |
P2C |
|
N/A |
Only relevant for specific authorisation, not general authorisation Name, address, person’s name, position and contact details, signature and date Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised) |
N/A |
|
[1]Readers may remember that, in Schrems II , the CJEU stated that standard contractual clauses are classed as appropriate safeguards under Art.46(2) of the GDPR, but that there is still a wider, over-arching, obligation on the data exporter to provide appropriate safeguards for the personal data after transfer and to ensure that the level of protection guaranteed by the GDPR is not undermined. The Implementing Decision states that the old standard contractual clauses are “deemed to provide appropriate safeguards within the meaning of Art.46(1) of Regulation 2016/679 … provided that the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards”. In other words, the transitional provisions don’t alter this wider, over-arching obligation emphasized in Schrems II; if the standard contractual clauses do not, in fact, provide an appropriate safeguard for personal data, then the Implementing Decision does not alter this.
[2]Throughout this article, the term EU can be read as meaning the EEA (i.e. EU countries, Iceland, Liechtenstein and Norway)
