GDPR: Questions and answers from the European Commission on the new standard contractual clauses for transfers – Data protection
To print this article, all you need to do is be registered or log in to Mondaq.com.
On May 25, 2022, exactly 4 years after the entry into force of the General Data Protection Regulation (“GDPR”), the European Commission (the “Commission”) published new guidance on standard contractual clauses (the ” CCAC”). Earlier in 2021, the Commission adopted a new set of CSCs aimed at providing greater flexibility for the cross-border transfer of personal data from the European Economic Area to third countries not benefiting from an adequacy decision . The Commission has published Questions and Answers on CSCs based on feedback received from various stakeholders and addressing 44 practical questions raised about new modular-type CSCs (the “Questions and Answers”).
What are the main takeaways?
- The Q&A confirms that the text of the CCS cannot be changed, except (1) to select specific modules or options offered in the text, (2) to complete the text if necessary (3) to fill in the annexes or (4) to add additional warranties. None of these actions are considered to alter the base text.
- However, the parties may supplement the CCAPs with additional clauses or incorporate them into a larger commercial contract, as long as the other contractual provisions do not contradict the CCAPs, directly or indirectly, or do not affect the rights of the data subjects.
- The questions and answers also provide practical advice regarding the “mooring clause”, which is an optional clause allowing an additional party to join a contract. All pre-existing parties can give their consent. The formalization of this consent is governed by national law and not by the CPCs. In order to make membership in the contract effective, the new party must complete the annexes and sign Annex I of the CCP. When joining the CPCs, the party will assume all rights and obligations in accordance with its role and the other parties will simultaneously have the corresponding rights and obligations vis-à-vis the new party.
- CPCs can be signed electronically if the national legislation governing the agreement allows electronic signing of agreements.
- The Commission also confirmed that subcontractors are required to provide the names of their respective subcontractors. It is not sufficient for sub-processors to only provide the categories for the sub-processor.
- Finally, the questions and answers provide important guidance on the four different SCC modules, the contexts in which they should be used as well as how the new SCCs should be used in a post Schrems II.1 background (read more about the Schrems II case here).
The transfer of personal data outside the EEA to countries without an adequacy decision can only be made if the data exporter – i.e. you or the (sub)processor, as applicable – provides appropriate safeguards, and provided that enforceable data subject rights and effective data subject remedies are available.
The SCCS may, depending on the circumstances, provide such appropriate safeguards. Therefore, if you or any of your sub-processors processing personal data on your behalf or, in turn, on behalf of your own sub-processors transfer or intend to transfer personal data as mentioned above above, SCCs might be the right choice. CSCs may need to be complemented by specific measures depending on the situation at hand.
We can provide you with any advice in this regard. We have developed an internal tool to quickly and efficiently provide you with the SCC modules or just one of them that your transfers need!
1 Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: European Union Privacy