News

New standard data protection clauses and new standard contractual clauses

04.06.2021

Today, the European Commission published the final versions of its new “standard data protection clauses” for the transfer of personal data to third countries and “standard contractual clauses” for controllers and processors in the EU/EEA.

Background

On 12 November 2020, the EU Commission welcomed public feedback by publishing the first drafts of the clauses that have now been adopted.

Opinions on the drafts were voiced, for example in a joint declaration adopted by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS).

New standard contractual clauses for processing

By adopting the new “standard contractual clauses” for data controllers and processors, the Commission has now created the first EU-wide uniform template for agreements involving controllers and processors in the EU.

This represents the Commission’s first exercise of the authority granted to it under Article 28 (7) GDPR to issue standard contractual clauses.

New standard data protection clauses for international data transfers

The new “standard data protection clauses” replace the previous Standard contractual clauses for the transfer of personal data to third countries from 2001 and Standard contractual clauses for the transfer of personal data to processors established in third countries from 2010  (see Article 46 (2) (c) GDPR).

The new “standard data protection clauses” for international data transfer now adopted by the Commission provide for a number of changes to the previous standard contractual clauses, particularly in that they are to be applicable in a modular approach to not only transfers between controllers (Module 1) but also transfers to processors (Module 2) as well as (re)transfers from processors to other (sub)processors (Module 3) and transfers from processors to controllers (Module 4).

In the opinion of the EU Commission, the new “standard data protection clauses” for international data transfer also take into account the requirements laid down by the European Court of Justice (ECJ) in its sensational Schrems II decision.

However, due to the fact that they are contractual clauses, even the “standard data protection clauses” for international data transfer cannot provide an ultimate solution for all aspects of conflicts with the national law of third countries. In its decision on the “standard data protection clauses” for international data transfer, the EU Commission even expressly points out (para. 19) that personal data should not be transferred based on the standard data protection clauses for international data transfer “if the laws and practices of the country of destination prevent the data importer from complying with the clauses”.

Thus, companies that export data, even on the basis of the new “standard data protection clauses” for international data transfer, will generally have no choice but to examine, for each data transfer to a third country based on the “standard data protection clauses”, what laws govern the particular data importer in the country of destination, as well as any further recipients, and whether these laws impair the guarantees they make when they sign the standard data protection clauses for international data transfer. It is imperative to analyse each specific data transfer and determine which of the laws of the third country are applicable.

What companies need to do

For controllers and processors that are currently using the previous standard contractual clauses for data transfers to third countries, the decision on the new “standard data protection clauses” provides for an 18-month transition period.

For this reason, we recommend beginning soon to examine existing contracts and then taking the necessary steps to update them.

For more information: