With date of June 4, 2021, the European Commission has new standard contractual clauses (Standard Contractual Clauses; SCC; german / english) published, according to the draft SCC dated November 12, 2020.
We had talked about the draft reported and summarized the main innovations. A deltaview between the draft and the now approved version is available here (both in English):
- Implementation Decision (with underlying recitals);
- SCC.
General and working materials
Like the draft, the new SCC modular built. They contain modules for transmissions:
- Module 1: GDPR Officer to nNon-DDPR Officer without adequacy decision;
- Module 2: GDPR controllers to non-DDPR processors ;
- Module 3: GDPR sub-processor to non-DDPR sub-processor;
- Module 4: GDPR Processors to Non-DDPR Controllers.
Some clauses apply to all modules respectively, one distinguishes by module and some are not applicable to all modules. Within individual modules, some also provide options from which to choose. This does not make the document easy to understand.
We – i.e. Walder Wyss – therefore have a Online version of the clauses and working materials (incl. Word documents, also separately for the individual modules) provided (as always without guarantee).
Timing and transition periods
- The Implementing Decision shall enter into force on June 27, 2021 (20 days after publication in the Official Gazette on June 7, 2021).
- The new SCC are available from the September 27, 2021 to be used; as of this date, the current SCC (i.e., the implementing decisions on which they are based) will be repealed. It applies until therefore a three-month transition period as of the entry into force of the Implementing Decision. From then on, new contracts can only use the new SCC (Art. 4 items 2 and 3 of the new Implementing Decision).
- The old – that is, today – SCC can be used for on September 27, 2021. existing contracts during a Transition period of 15 months continue to be used, now on the basis of the new implementing decision, i.e. until on December 27, 2022 (Art. 4 No. 4 of the Implementing Decision). Until then, existing contracts must be migrated to the new SCC.
Other remarks
- It should be noted at the outset that the SCC cannot and – according to the implementing decision – may not be used, if the importer is subject to the GDPRand this also if the applicability of the GDPR results from Art. 3(2) GDPR, i.e. the impact principle concretized in data protection law (hence also the expression “GDPR controller” etc. above). The exporter must therefore ascertain whether the importer is subject to the GDPR; and since Art. 3(2) GDPR only covers certain processing operations in each case, this question may have to be answered specifically for the processing operation in question. In contrast, also Exporters outside the EEA use the new clauses if they are themselves subject to the GDPR pursuant to Art. 3(2).
- Conceptual new are the modules 3 and 4, for cross-deliveries between processors and for transfers from GDPR processors to non-DDPR controllers.
- The Module 2 for controller-to-processor transfers contains the contents according to Art. 28 (3) GDPR. It should therefore no longer be mandatory to conclude an additional order processing agreement in addition to the SCC.
- Existing new SCC, additional parties can at any time join. This is likely to become particularly relevant in the Group.
- The SCC contain Liability provisions (a commitment to liability, not a limitation). Whether this liability provision is intended to be dispositive is an open question.
- The elephant in the room is of course Schrems II. The Commission believes – subject to the ECJ’s review of the implementing decision in Schrems III, IV or V – that the Schrems II issue is not resolved by the new SCCs, but is addressed. To this end, the SCC – in each case for all four modules identically – in clauses 14 and 15 own Schrems II clauses. According to Clause 14 the following applies:
- The parties mutually assure each other that they trust the importer to be able to comply with the SCC despite its home law,
- They do not draw this assurance from general life experience. Rather, they must clarify the effects of the importer’s home law in detail, with the cooperation of the importer – this is the basis of the so-called “Transfer Impact Assessments. (TIAs), which are likely to become much more prevalent as a result; this is particularly due to the documentation obligation that already arises for the exporter from the GDPR, but which now also becomes a contractual obligation for the importer. The obligation to TIA also applies to onward transfers by an importer bound by the SCC to other non-DSA importers. It is to be expected that larger importers – first and foremost the US tech groups – will prepare and provide standardized TIAs.
- The importer must inform the exporter if there is a relevant change in its law or in the authorities’ practice. In this case, the exporter must take additional measures and, if this fails, suspend the transmission and may also terminate the SCC in this case.
- According to Clause 15 applies in the event of access by authorities or authorities access more:
- The importer must notify the exporter immediately, if he is allowed to do so. He shall regularly inform the exporter about lawful access requests.
- The importer must check the legality of the access, document this check and challenge corresponding orders, unless he considers this to be futile. He must even apply for precautionary measures.
- It is obvious that these requirements favor the large providers and thus accelerate the concentration process among cloud providers.
- It is noteworthy that, in the case of the TIAs, the Commission agreed to a Risk-Based Approach seems to follow and not a rights-based approach as tends to be the case with the EDSA in its Guidelines for data transfers according to Schrems II. This is reflected, for example, in the fact that the parties must take into account the circumstances of the transfer, including the nature of the data and the practice of the authorities in the recipient state. The EDSA guidelines are only available in draft form, but are expected to be definitively adopted in the next 10 days, according to hearsay with the same thrust as the draft. So the relationship between these guidelines and the new SCC will undoubtedly be a topic of discussion.
- Should the EU Adequacy of Swiss data protection law, EEA exporters must conclude SCCs with Swiss importers, unless an exception applies. This would be very burdensome for exporters, but even more so for importers, who would de facto be forced to provide their EEA contract partners with SCCs and documentation tailored to Switzerland. In this case, the FOJ or the FDPIC will hopefully quickly provide the basics of a CH-TIA, which the importers could prepare on a sector-specific basis.
- The FDPIC has not yet ratified the new SCC, but will undoubtedly do so.