SCCs for international data transfers

Background

Article 46(2)(c) of the GDPR enables the Commission to adopt standard data protection clauses (SCCs) as a guar-antee for transfers to third countries. These clauses are drafted by the Commission in the form of an implementing decision and approved by repre-sentatives of the Member States in a committee proce-dure (cf. Article 93 of the GDPR). The SCCs are a contract concluded between the data exporter as the addressee of the GDPR and the data importer in the third country, which lays down binding rules for the handling of per-sonal data. The SCCs do not require separate approval by a supervisory authority. The Commission adopted new standard data protection clauses in June 2021((https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en)).

Modular approach

The SCCs are divided into four sections. In contrast to the previous clauses, all transfer constellations are now integrated into a single set of contracts. The SCCs now comprise a collection of 18 clauses from which the contracting parties must select those that correspond to the role of their interaction. The Commission is pursuing a modular approach here. The individual modules each represent one of the four constellations between data importer and data exporter:

  • Module 1: Data transfer from a controller to a controller in a third country (controller-to-controller, C2C)
  • Module 2: Data transfer from a controller to a processor in a third country (controller-to-processor, C2P)
  • Module 3: Data transfer from a processor to a sub-processor in a third country (processor-to-sub-processor, P2P)
  • Module 4: Data transfer from a processor to a controller in a third country (processor-to-controller, P2C)

Some general clauses apply to all constellations, while others are module-specific. The SCCs are supplemented by annexes that can be customised to describe the circumstances and parties involved in the data transfer.

Overview of the individual sections and selected claus-es

Section 1 (Clauses 1–7 SCC) contains general, module-independent framework conditions for data transfer (circumstances of data processing, third-party benefi-ciary clauses, accession of new contracting parties, etc.). The following clauses are particularly noteworthy:

Clause 2 regulates the effect and immutability of the clauses. The decisive difference to previous clauses is that these should now ‘enable’ the requirements of Art. 28 (3) and (4) GDPR (cf. EC 9 SCC). This means that it is no longer necessary to conclude a separate contract for order processing, although further contractual agreements are not excluded. The content of the SCCs may not be changed. However, specific details and additions are necessary in the SCCs,

  • for example when selecting the relevant module,
  • when completing the required text (marked with square brackets), e.g. to specify the competent courts and supervisory authority and to set deadlines,
  • when completing the annexes on the circumstances of the processing,
  • and when adding additional safeguards to increase the level of data protection (where necessary).

Such adjustments are not considered to be changes to the core text and are therefore unproblematic. If there are parallel provisions to the contractual content of the SCC, it must be examined whether these directly or indirectly contradict the clauses (see also EC 109 p. 1 GDPR).

Example: Cloud provider X states in its general terms and conditions that it may use subcontractors in an emergency without prior information or approval from the cus-tomer. Such a provision directly contradicts clause 9 (a) of the SCC.

If the parties agree on supplementary clauses that contradict the SCC, the SCC lose their status as ‘appropriate safeguards’ under Article 46(2)(c) of the GDPR. They are then to be regarded as an ad hoc contract pursuant to Art. 46(3)(a) GDPR, which is subject to approval by the competent supervisory authority. The third-party beneficiary clause (Clause 3) enables data subjects to assert and enforce numerous clauses of the SCC as third-party beneficiaries against the data exporter and/or data im-porter.

Clause 5 establishes a hierarchy between individual agreements between the parties and the SCC. According to this, the clauses of the SCC always take precedence. Conflicts are to be resolved in favour of the provisions of the SCC. However, this should not be understood to mean that conflicting contractual agreements take second place to the agreements of the SCC. Rather, in this case, the SCC lose their effect as an ‘appropriate guarantee’ in accord-ance with Clause 2 SCC. A new feature in this form is the coupling clause (Clause 7), which can be agreed upon. There is no obligation to do so. It allows new parties to join retrospectively, with the consent of the existing parties. The modalities of accession (e.g. fulfilment of an accession condition and the form of approval) are not regulated in detail in Clause 7, so that it is advisable to draw up a separate coupling clause, e.g. in a separate data protection framework agreement.

Section 2 (Clauses 8–13 SCC) first regulates the obligations of the contracting parties depending on the respective transfer constellation. In particular, recipients of personal data in third countries who act as data controllers have to deal with far-reaching requirements based on the GDPR. The data protection guarantees in Clause 8 agree on the processing principles of Art. 5(1) GDPR, including the accountability requirement under Art. 5(2). The data exporter also assures, in accordance with the generally applicable Clause 8(1) SCC, that it has satisfied itself ‘to the extent reasonably possible’ that the data importer is able to fulfil its obligations under these clauses by im-plementing appropriate technical and organisational measures. Clauses 10, 11 and 13 contain provisions on the rights of data subjects, legal remedies and supervi-sion. Of particular note are the liability provisions in the internal relationship (Clause 12). These essentially provide that the parties are liable without limitation in their internal relationship and indemnify each other accordingly. Due to a lack of clarification by the Com-mission, Clause 12 can be understood to mean that a limitation of liability in the internal relationship constitutes an impermissible amendment to the SCC.

Section 3 (Clauses 13, 14 SCC) contains specific provisions on the so-called ‘Transfer Impact Assessment (TIA)’ and on how to deal with security authority access to transferred data in the recipient country. This is a direct response to the ECJ ruling ‘Schrems II’ and should be regarded as an ‘additional measure’ of a contractual nature. The data exporter and data importer declare in the SCC that they have examined the legal situation in the third country with regard to data transfer and can guarantee that, to the best of their knowledge, there are no laws that pre-vent the data importer from complying with the clauses. The data exporter should also be supported by the data importer in the legal analysis to the best of its ability (by providing as much information as possible). In the event of conflicting laws, the data exporter must ensure that appropriate technical and organisational measures are in place.

Further information

European Commission, The New Standard Contractual Clauses – Questions and Answers