European Commission issues draft on Standard Contractual Clauses

18. November 2020

A day after the European Data Protection Board (EDPB) issued its recommendations on supplementary measures, on November 12th the European Commission issued a draft on implementing (new) Standard Contractual Clauses (SCC) for data transfers to non-EU countries (third countries). The draft is open for feedback until December 10th, 2020, and includes a 12-month transition period during which companies are to implement the new SCC. These SCC are supposed to assist controllers and processors in transferring personal data from an EU-country to a third-country implementing measures that guarantee GDPR-standards and regarding the Court of Justice of the European Union’s (CJEU) “Schrems II” ruling.

The Annex includes modular clauses suitable for four different scenarios of data transfer. These scenarios are: (1) Controller-to-controller-transfer; (2) Controller-to-processor-transfer; (3) Processor-processor-transfer; (4) Processor-to-controller-transfer. Newly implemented in these SCC are the latter two scenarios. Since the clauses in the Annex are modular, they can be mixed and matched into a contract fitting the situation at hand. Furthermore, more than two parties can adhere to the SCC and the modular approach even allows for additional parties to accede later on.

The Potential of government access to personal data is especially addressed since this was a main issue following the “Schrems II” ruling. Potential concerns are met by implementing clauses that address, how the data importer must react when laws of the third country impinge his ability to comply with the contract (especially the SCC) and how he must react in case of government interference.  Said measures include notifying the data exporter and the data subject of any government interference, such as- legally binding requests of access to personal data; and if possible sharing further information on these requests (on a regular basis), documenting them and challenging them legally. Termination clauses are added, in case the data importer cannot comply anymore, e.g. because of changes in the third country’s law.

Further clauses regard matters such as data security, transparency, accuracy and onwards transfer of personal data. Issues that have all been tackled in the older SCC but are update now.