EU Standard Contractual Clauses Explained
If a company wants to transfer personal data to countries outside the European Union or the European Economic Area that fall into the category of third countries, a data protection guarantee for the transfer is required in addition to the legal basis for the data processing. In the absence of an adequacy decision by the EU Commission, the EU standard contractual clauses, also known as the EU Commission’s standard data protection clauses (SCC for Standard Contractual Clauses), have therefore been used for years.
These documents, which are now 25 years old, have now been updated.
This FAQ is intended to answer the questions that have arisen in this context and thus provide assistance in using the new clauses in a data protection-compliant manner.
If you have any further questions and would like assistance in making the necessary adjustments, please contact the 2B Advice Team.
When Does My Company Need SCC?
As soon as a company, either in the role of controller and/or processor, transfers personal data to a so-called “third country”, pursuant to Art. 44 et seq. GDPR (General Data Protection Regulation), appropriate safeguards for the protection of these data are required to ensure that the level of protection for the data of natural persons guaranteed by the GDPR is not undermined.
If there is no adequacy decision by the EU Commission for the third country, the SCCs (Standard Contractual Clauses) will usually be an essential basis for this.
As the well-known Schrems II judgment of the European Court of Justice (judgment of July 16, 2020, Case C 311/18) has made clear, the guarantees listed in Art. 44 et seq. GDPR are not sufficient. Instead, the data protection situation in the recipient’s country must be examined and it must be determined which additional technical and organizational measures (encryption, anonymization, pseudonymization) are required for the specific case.
A possible outcome of such a risk assessment may also be the decision not to carry out the planned data transfer and to find a solution with EU-based service provider instead, so that no third-country data transfer takes place.
How Do the New SCC Differ From the Old Ones?
The previous standard contractual clauses date back to 1996. The new SCC have now been adapted to the wording and requirements of the GDPR.
The new SCCs have a modular structure and offer significantly more individual customization options, but also more work before they can be used for the respective data transfer. Whereas with the previous SCCs the customization work usually ended with the completion of the information on the two contracting parties, with the new SCCs only then the actual customization and of the SCC begins.
In the new SCC, other entities can join a contract concluded on the basis of the standard contractual clauses as data importers or exporters for the first time.
Previously, there were no clauses for the “processor and sub-processor” scenario. The new standard contractual clauses are modular in structure, thus applicable to a larger number of contracts than before, and also include contracts at the sub-processor level.
If service providers process data on the instructions of a company, this constitutes data processing on behalf of the company within the meaning of the GDPR. In such cases, a so-called data processing agreement (DPA for short) must be concluded. The new standard contractual clauses now also meet the requirements for a data processing agreement. This means that if a contract is concluded on the basis of the standard contractual clauses, then the conclusion of an additional DPA is no longer mandatory.
Clauses 14 and 15 of the new SCC contain specific safeguards that correspond to some of the additions already proposed by data protection authorities and the European Data Protection Board (“EDSA”) to the old standard contractual clauses to meet the requirements of the Schrems II ruling.
It is now fortunately stipulated in the new SCC that these take precedence and supersede any conflicting contractual or GTC clauses (Section I Clause 5).
In Section II, Chapter 12 contains modular liability clauses and (together with the provision on the primacy of the SCC) stipulates that the liability of the contracting parties is not limited, for example, by external liability exclusions in GTCs.
The contracting parties can now specify in Section IV (Clauses 17 & 18) the applicability of a particular national law and the place of jurisdiction (within the EU). For example, the applicability of German law can be specified even though the standard contractual clauses are concluded by a subsidiary in Italy.
Regarding the discussions currently taking place on data transfers to the USA or other third countries, the data importer commits in clause 15, among other things, to:
- To make best efforts to lift the ban on notification of the data exporter / data subject. The goal here shall be to ensure that as much information as possible and as quickly as possible can be communicated. The data importer therefore takes care to document the efforts it has made to be able to prove them at the request of the data exporter.
- The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity (These are acts, practices and rules observed in international relations between states because of their sovereignty due to friendship, neighborliness and mutual respect).. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules.
This obligation can lead to considerable costs for the data importer (if the corresponding decisions to disclose data are actually made).
Both Parties undertake in Clause 14, that they have considered, in particular, the following aspects:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards.
- any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
These three points must therefore be considered in particular for third-country transfers as part of the risk assessment and considerations, and this must be documented.
Can I Continue to Use the Old SCC?
These three points must therefore be considered in particular for third-country transfers as part of the risk assessment and considerations, and this must be documented. However, these would have to be replaced by the new SCC by December 27, 2022, at the latest.
As of September 27, 2021, the new SCC must be used without exception.
How Long Can I Use Old SCC?
The new standard contractual clauses will have to be adopted for all newly concluded contracts as of September 27, 2021. Until then, the old SCCs could still be used, but these would then have to be replaced by the new SCCs by December 27, 2022, at the latest.
I Have a Contract With Old SCC. Do I Have to Replace Them With the New SCC Now?
Not immediately, the replacement of the previous SCC with the new SCC must take place by December 27, 2022, at the latest. Provided that the contract ends before this date, replacement is therefore not mandatory.
In case of relevant contract changes, the data exporter should take the opportunity immediately and replace the existing SCC with the new ones. For example, in case of subcontracting of processing operations that are the subject of the contract to a sub-processor/contractor.
When Do I Have to Replace Old SCC With the New Ones?
In the case of existing contracts, the replacement must take place within 18 months, i.e., by December 27, 2022, at the latest. If the corresponding contract or processing ends earlier than that, the replacement is not mandatory.
What Should Be Done if My Contractual Partner Does Not Want to Update the SCC?
If the cooperation and the associated data exchange with the contract partner will continue after December 27, 2022, the contract partner should be informed of the legal risks (see item 3.9) and the specific reasons for the refusal should be investigated.
After 25 years of good service, the old SCCs are no longer up to date and hardly able to manage contractual constellations in a current and where necessary individual way. The new SCCs better meet the current challenges and support the contractual partners in configuring third-country transfers in a data-protection-compliant manner. Thus, updating the SCC is in the interest of both parties.
If the contractual partner nevertheless refuses, it would make sense to re-evaluate the continuation of the contractual relationship, considering the additional risks this poses for your own company.
With Whom Must SCC Be Concluded?
As soon as a data transfer to a country outside the EU / EEA is to take place, the new SCCs must be concluded between the respective parties involved.
The new SCCs have four different processing configurations (modules), which must be selected correctly for each SCC:
- Module One C2C Controller to Controller
Transfer from a controller (in the EU) to another controller (in a third country).
- Module Two C2P Controller to Processor
Transfer from controller (in the EU) to processor (in the third country)
- Module Three P2P Processor to Processor
Transfer from a processor (in the EU) to another (sub-) processor (in the third country)
- Module Four P2C Processor to Controller
Transfer from a processor (in the EU) to the controller (in the third country)
Can I Adapt or Delete Clauses in the SCC?
The new SCCs are modular and must be customized individually within the scope of the available modules.
Except for selecting the appropriate module(s) or adding or updating information in the attachment, no other changes or deletions are allowed.
However, the standard contractual clauses can be included in a more comprehensive contract (e.g., as an annex). In addition, further clauses or additional guarantees can also be added, as far as these do not directly or indirectly contradict the other provisions of the SCC or restrict the fundamental rights or freedoms of the data subjects, such as the data subject rights (Art. 15-22 et seq. GDPR).
In Which Language Do I Have to Use the New SCC?
The new version of the SCC is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en in all European languages and can be used accordingly. We recommend that you use the language that you predominantly use in your communication with the respective contract partner, or the language in which you have created the other contract documents.
If you want to use two language versions in parallel (e.g., English for your contract partner in the UK and German for your contract partner in the UK), it makes sense to determine which of the two documents has priority should there be any discussions concerning interpretation.
Do I Have to Hand Over the New SCC to the Data Subjects?
As before, Art. 13(1)(f) GDPR requires that the data subject be informed about the “… appropriate or adequate safeguards and how to obtain a copy of them or where they are available”. E.g.:
In cases where there is a transfer of data outside the EU, we have entered into appropriate EU standard contractual clauses. A copy of these clauses can be requested by emailing us at SCCfirstname.lastname@example.org or can be found on our website at www.company.com/scc.
Can I Now Transfer Personal Data to Third Countries Such as the United States Without Further Action Under the New SCC? Can I Avoid Additional Protections?
No. As part of a mandatory risk assessment, the data protection situation in the recipient country must be evaluated and suitable protective measures defined on this basis. If this is not the case, according to the chairpersons of the German data protection conference, the data processing may not take place at all.
What Risk Does My Company Face If I Do Not Use the SCC or Use It Incorrectly?
In addition to the risk of warnings from interest groups and competitors (competition law) and reputational damage in the event of media coverage of data processing that does not comply with data protection law, there is in particular the risk of sanctions by the responsible supervisory data protection authority.
- The sanction options (Art. 58 GDPR) include the following
- the possibility of conducting investigations in the form of data protection audits,
- to issue a warning,
- instructing to bring processing operations into compliance with the law, if necessary, in a specific manner and within a specific period,
- order the suspension of the transfer of data to a recipient in a third country or to an international organization,
- Impose a temporary or definitive restriction on processing, including a ban; and/or
- Impose a fine of up to EUR 20 Million or, in the case of a group of companies or groups, of up to 4% of its total annual worldwide turnover for the preceding financial year, whichever is higher, for breaches of the provisions relating to the transfer of personal data to a recipient in a third country or to an international organization (Articles 44 to 49 of the GDPR).
When selecting a sanction, the supervisory authority will certainly also consider whether there have been efforts to use the SCC correctly or whether the SCC has been completely ignored despite an obvious requirement.
Initially, the EU Whistleblower Directive was supposed to be effective by December 17, 2021. However, the legislative process failed.Right of Access by the Data Subject
The right of access, enshrined in Art. 15 of the GDPR, gives data subjects the right to obtain from the controller.Subject Access Request Automation
Individuals have the right to access their personal data, commonly referred to as subject access. But can this process be automated?