New standard contractual clauses

On June 4, 2021, the European Commission adopted a new set of contracts for the transfer of personal data to recipients in countries outside the EU, the so-called standard contractual clauses. Existing data protection contracts based on the old standard contractual clauses must now be adapted to the new law. Companies may still conclude data transfer contracts based on the old clauses for a transitional period of three months from the publication of the new standard contractual clauses in the EU Official Journal (cut-off date: Sept. 27, 2021). However, all contracts must be converted to the new standard contractual clauses within 18 months at the latest (by Dec. 27, 2022) from the publication date. Our recommendation: If you are currently in contract negotiations or planning to use a new service provider in a third country, use only the new standard contractual clauses even today.

Requirements and „new“:

  1. it must be checked whether the data importer is in a position to comply with the contractual regulations, in particular for protection against disproportionate access by authorities, given the legal situation in the third country. The result of this check and any technical and organizational measures taken to protect the data (e.g., encryption) must be documented by the parties and submitted to the supervisory authority responsible for the data-exporting EU company upon request.
  2. the data importer must also defend itself against official requests for information to the extent legally possible and inform the data exporter and data subjects thereof. The data importer is also required to notify the data exporter if it believes it is not (or no longer) able to protect the data from access by public authorities. Upon receipt of such notification, the exporter must stop the data transfer unless the supervisory authority allows it to continue.
  3. A pragmatic and probably useful novelty are the so-called „docking clauses“, which are intended to allow additional parties to join the standard contractual clauses.
  4. Another new feature is that the standard contractual clauses provide for liability of the parties for breaches of duty not only vis-à-vis the persons concerned, but also in relation to each other. It is unclear whether the parties can exclude or at least limit this liability in their internal relationship, e.g., to align it with the liability regime that would otherwise apply between them.
  5. Furthermore, it is important to mention that the new standard contractual clauses already fulfill the requirements for a processing contract pursuant to Art. 28 GDPR. Concluding an additional order processing contract with the third country is therefore not necessary.

Important:

If, in a third country such as the USA, China or Russia, there is a risk, which is not merely theoretical, that security authorities could access the transferred data in a disproportionate manner, and if this risk cannot be eliminated by additional measures such as data encryption, the new standard contractual clauses cannot legitimize the data transfer either.

The new standard contractual clauses are modular, i.e. instead of different standard contractual clause forms, in future there will only be one version containing these four modules, see graphic:

Module 1: Data transfers from controller to controller

controller ⇒ controller

GDPR applicable third country

Module 2: Data transfers from controllers to processors

controllers ⇒ processors 

GDPR applicable third country

Module 3: Data transfers from processors  to other processors

processors ⇒ other processors

GDPR applicable third country

Module 4: Data transfers from processors to controllers

processors ⇒ controllers 

GDPR applicable third country

Instructions for action:

  1. check with which companies you have already concluded standard contractual clauses or which companies in third countries process personal data for you (indications: list of processors and processing directory)
  2. contact these companies and attach the new standard contractual clauses as a document (Publications Office (europa.eu). Point out the necessary changes to your contractual partners. (In the case of global players such as Microsoft, we assume that they will change the service terms on their own; therefore, wait and see here first.)
  3. document additional measures that the data importer can guarantee (e.g. encryption)
  4. if not already available, keep a list of all service providers/cooperation partners/suppliers operating in a third country and note with which ones you have already concluded the new contractual clauses and which ones still need to be „taken care of“.