In today’s interconnected world, cross-border data transfers are becoming increasingly common. However, the transfer of personal data outside the European Union (EU) or European Economic Area (EEA) to countries that do not provide an adequate level of data protection can put individuals’ privacy at risk. To address this, the European Union’s General Data Protection Regulation (GDPR) provides for the use of standard contractual clauses (SCCs) as a mechanism for transferring personal data to third countries.
What are Standard Contractual Clauses?
SCCs are pre-approved contract clauses that set out the contractual obligations between the data exporter (the EU-based organization) and the data importer (the non-EU organization) to ensure that the personal data transferred is subject to adequate protection. SCCs are legally binding and enforceable in the EU member states, and they provide a safeguard for the rights and freedoms of data subjects, as required under the GDPR.
GDPR and SCCs
Under the GDPR, transferring personal data to countries outside the EU or EEA requires appropriate safeguards to ensure that the personal data is subject to an adequate level of protection. SCCs provide such safeguards by setting out the obligations of both the data exporter and data importer to ensure the protection of personal data. Organizations can use SCCs as a mechanism for transferring personal data to countries that do not provide an adequate level of data protection.
The GDPR allows for the use of SCCs for both controller-to-controller and controller-to-processor transfers of personal data. SCCs are designed to cover various scenarios, including data transfers between two controllers, data transfers from a controller to a processor, and data transfers from a processor to a sub-processor.
Standard Contractual Clauses and the US Privacy Shield
The US Privacy Shield was a framework for the transfer of personal data between the EU and the US, which was declared invalid by the Court of Justice of the European Union (CJEU) in the Schrems II case in July 2020. The CJEU found that the Privacy Shield did not provide adequate safeguards for the protection of personal data, and it invalidated the framework with immediate effect.
Following the invalidation of the Privacy Shield, organizations that previously relied on the framework needed to find alternative mechanisms for transferring personal data to the US. SCCs were one such mechanism that could be used. However, the CJEU ruled that organizations that rely on SCCs must ensure that the data importer is able to comply with the obligations set out in the SCCs and that the personal data is subject to an adequate level of protection in the third country.
The CJEU also emphasized that organizations must conduct a case-by-case assessment of the data importer’s ability to comply with the SCCs and the data protection laws of the third country. Organizations must also take into account any relevant factors that may affect the transfer of personal data, such as the nature of the data, the purposes for which it is being transferred, and the legal framework in the third country.
SCCs are an important mechanism for transferring personal data to countries outside the EU or EEA while ensuring an adequate level of protection for data subjects. However, the use of SCCs requires organizations to conduct a thorough assessment of the data importer’s ability to comply with the SCCs and the data protection laws of the third country. With the invalidation of the US Privacy Shield, SCCs have become an even more critical tool for organizations that transfer personal data to the US or other third countries.
Here is one example Standard Contractual Clauses:
Let’s say that a company based in Germany wants to transfer personal data, such as customer information or employee records, to a company in the United States for data processing purposes. As the US does not have an adequacy decision from the EU Commission, the German company must use an appropriate safeguard mechanism to ensure that the personal data is subject to an adequate level of protection.
One option for the German company would be to use SCCs. They would enter into a contract with the US-based company that includes SCCs that are approved by the EU Commission. The SCCs would set out the obligations of both companies to ensure that the personal data is protected in accordance with the GDPR. The SCCs would cover aspects such as the purposes of the data transfer, the categories of personal data being transferred, and the rights of the data subjects.
The German company would also need to conduct a thorough assessment of the US-based company’s ability to comply with the SCCs and the data protection laws of the US. They would need to take into account factors such as the nature of the data being transferred, the level of risk associated with the transfer, and any legal frameworks in the US that may affect the transfer of personal data.
By using SCCs and conducting a thorough assessment of the US-based company’s ability to comply with the SCCs and data protection laws, the German company can ensure that the transfer of personal data is conducted in compliance with the GDPR, and that the rights and freedoms of the data subjects are protected.
Second example Standard Contractual Clauses:
Let’s say that a company based in France wants to transfer personal data of its customers to a company based in India for customer service purposes. As India does not have an adequacy decision from the EU Commission, the French company must use an appropriate safeguard mechanism to ensure that the personal data is subject to an adequate level of protection.
In this case, the French company can use SCCs as a mechanism for transferring the personal data to the Indian company. The SCCs would set out the contractual obligations of both companies to ensure that the personal data is protected in accordance with the GDPR. The SCCs would cover aspects such as the purposes of the data transfer, the categories of personal data being transferred, and the rights of the data subjects.
The French company would also need to conduct a thorough assessment of the Indian company’s ability to comply with the SCCs and the data protection laws of India. They would need to take into account factors such as the nature of the data being transferred, the level of risk associated with the transfer, and any legal frameworks in India that may affect the transfer of personal data.
For instance, the Indian company may need to comply with the Indian Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, which provide specific requirements for the collection, storage, and handling of personal data in India. The French company would need to ensure that the Indian company is able to comply with these rules and that the personal data is subject to an adequate level of protection.
By using SCCs and conducting a thorough assessment of the Indian company’s ability to comply with the SCCs and data protection laws, the French company can ensure that the transfer of personal data is conducted in compliance with the GDPR, and that the rights and freedoms of the data subjects are protected.
Now let’s see how these clauses look like in one example that you can use, but just insert your data:
Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Article 46(2)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Controller:
[Insert name and address of the controller]
Processor:
[Insert name and address of the processor]
Purpose of the processing:
[Insert purpose of the processing]
Description of the personal data:
[Insert description of the personal data]
Duration of the processing:
[Insert duration of the processing]
Obligations of the controller:
The controller agrees to:
- provide the processor with written instructions for the processing of personal data;
- ensure that the transfer of personal data to the processor is conducted in compliance with applicable data protection laws;
- ensure that the personal data is accurate and up-to-date;
- notify the processor of any changes to the personal data; and
- assist the processor in fulfilling its obligations under these Standard Contractual Clauses.
Obligations of the processor:
The processor agrees to:
- process the personal data only on the documented instructions of the controller;
- ensure that its personnel are bound by confidentiality obligations with respect to the personal data;
- implement appropriate technical and organizational measures to protect the personal data;
- assist the controller in complying with its obligations under applicable data protection laws;
- notify the controller without undue delay if it becomes aware of a personal data breach; and
- delete or return the personal data to the controller at the end of the processing.
Sub-processing:
The processor may engage sub-processors only with the prior written consent of the controller. Where the processor engages sub-processors, it shall enter into a written agreement with the sub-processor that provides sufficient guarantees to implement appropriate technical and organizational measures in such a way that the processing will meet the requirements of applicable data protection laws.
Applicable law:
These Standard Contractual Clauses shall be governed by and interpreted in accordance with [insert governing law and jurisdiction].
Signatures:
For [insert name of the controller]:
[Insert signature of the authorized representative]
For [insert name of the processor]:
[Insert signature of the authorized representative]
Date:
[Insert date of the signature]
