New standard contractual clauses and data processing agreement from the EU Commission
On 4 June, the European Commission adopted new standard contractual clauses («SCC»), which replaces previous standard clauses for the transfer of personal data to countries outside the EEA (third countries). In addition, the Commission has for the first time adopted a standard data processor agreement governing the data processor’s processing of personal data on behalf of the data controller.
The SCC are pre-approved clauses that provide a legal basis for the transfer of personal data without further approval from the data protection authorities. Since the previous clauses were based on the previous Data Protection Directive, an important aim has been to establish SCC in line with the EU Data Protection Regulation (GDPR). Another ambition has been to update the SCC to facilitate the parties’ compliance with the European Court of Justice’s ruling in Schrems II on 16 July 2020.
Compared to the previous SCC, there are no longer separate sets of clauses for transfer from an EEA based controller to controllers or processors outside the EEA, respectively. Instead, a module-based approach has been chosen to cover four situations of transfers from data exporter(s) within the EEA to data importer(s) outside the EEA: controller – controller, controller – processor, processor – processor and processor – controller.
The module-based approach creates greater flexibility compared to the previous SCC, particularly since a processor in the EEA, e.g. a cloud service provider, now can establish a basis for transfers to its own subcontractors outside the EEA. For transfers between controllers and processor the new SCC also contains full-fledged data processor provisions, so that it is no longer necessary to have a separate data processing agreement or additional provisions that supplements the SCC. There is also a separate docking clause that makes it easier to add new actors to the agreement at a later point of time.
There has been great expectation to how the new transfer agreement relates to the European Court of Justice’s Schrems II decision. In light of US surveillance laws, the court invalidated the Privacy Shield and upheld the SCC as a valid legal basis for transfers provided that the parties have considered the need for additional measures to protect against access from third country surveillance laws. It is important to note that the new SCC do not in itself satisfy the stricter requirements set out in the Schrems II Decision. However, the new SCC supports the steps exporters and importers of personal data must take to comply with the GDPR transfer rules and Schrems II.
An important requirement for transfers based on the new SCC is that the parties have no reason to believe that local rules and practices in the third country, including intelligence legislation, prevent the parties from complying with the clauses. The parties undertake to document their Schrems II assessment and to make it available to the supervisory authorities upon request. The new SCC also sets out in greater detail how the importer should handle any requests for access, including notifying the exporter, assessing and challenging the legality of access request as well as to hand over as little information as possible.
As under the previous SCC, it is important to complete the SCC based on the specific situation at hand with regard to the parties to the agreement, choice of law, venue, competent supervisory authority and description of the information transferred (purpose, categories, etc.). In addition, even greater attention must now be paid to the description of use of subcontractors and the completion of Annex II regarding technical and organizational measures. These measures will of course be relevant to ensure compliance with the information security requirements under the GDPR, but will also cover additional measures that are necessary due to the strict requirements following the Schrems II judgment, cf. above.
The previous SCC are still available for use for a period of up to three months after the decision on new SCC becomes effective (i.e. 20 days after publication in the Official Journal). After this period, the new agreement must be used for new transfers. If the parties have already entered into the previous SCC, these will provide a valid transfer basis (provided that they provide sufficient guarantees) for 18 months from the date of entry into force of the new SCC.
On 4 June, the European Commission also adopted a new standard data processor agreement. This is thus not a transfer agreement, but an agreement that contains necessary provisions pursuant to Article 28 to govern the relationship between a controller and a data processor. It is voluntary to use this or another template that contains the necessary provisions. The Danish Data Protection Agency has previously received confirmation from the European Data Protection Board (EDPB) that their standard contractual clauses satisfies the requirements of the GDPR. Recently, the Norwegian Agency for Public and Financial Management (DFØ) also established a standard data processor template. The latter does not have a formal stamp of approval from the European Commission or the data supervisory authorities, but it is nevertheless is one of several templates that can be used to facilitate the necessary provisions between a controller and a processor.