A contribution from Lena Götzinger and Hannes Meyle
As of September 27, 2021, the “new” standard contractual clauses (“SCC”) published as of June 4, 2021, must generally be used for the transfer of personal data to countries outside the EEA that do not offer an adequate level of data protection from the perspective of the GDPR. A transition period for the continued use of the “old” SCC exists only for previously concluded contracts, on condition that the processing that is the subject of the contract does not change (we reported).
The same applies to transfers of personal data from Switzerland to countries without an adequate level of data protection (nota bene: The transition period is somewhat longer in Switzerland). In the meantime, the FDPIC has approved the SCC – subject to a “Swiss Finish” (details hereand below) – are recognized as sufficient guarantees pursuant to Art. 6 Par. 2 lit. a FADP.
Against this backdrop, many of the major (cloud) providers have now implemented the new SCC in their contract documents.
The models of Google, Microsoft and Salesforce
- Google CloudFor Google Cloud Services customers located in the EEA or Switzerland (and who have provided Google with an appropriate billing address), a Google company also located in the EEA or Switzerland (“Google Europe”) acts as a contractual partner. Transfers of personal data between the customer and Google Europe therefore take place between countries with an adequate level of data protection and do not require SCC protection. However, depending on the products selected in each case, personal data may also be accessed from outside the EEA or Switzerland, e.g. by the US company Google Inc. For such “onward transfers” to countries without an adequate level of data protection, Google Europe enters into Module 3 of the new SCC with the relevant data recipients. This module covers the situation between a processor as data exporter (here: Google Europe) and its sub-processor as data importer (here: e.g. Google Inc.). The concrete SCC agreed upon by Google are available on the Google website. The upstream transfer of data from customers to Google Europe is controlled by the Data Processing Terms covered.
This explicitly includes the case where the customer is located in Switzerland as a data controller (see the definition of “Adequate Country”, “supervisory authority” and “European Data Protection Law”). Google explains its approach to the implementation of the new SCCs in more detail in this Whitepaper.
- MicrosoftFor customers of Microsoft products and services from the EEA or Switzerland, the contract partner is usually the Irish Microsoft company, Microsoft Ireland Operations Limited (“MIOL”). In some circumstances, Microsoft uses the US-based Microsoft Corporation as a subcontracted processor. For the implementation of the new SCC, Microsoft therefore chooses a similar path as Google, in that MIOL concludes Module 3 of the new SCC with Microsoft Corporation (cf. the Data Protection Addendum). Customers in Switzerland should ensure that Amendment ID M329 (“Amendment for Switzerland regarding Microsoft Products and Services Data Protection Addendum”) – which is only accessible to customers – is included. Only then is it contractually assured that the new SCC (instead of (also) the “old” SCC from 2010) apply.
Microsoft explains its approach to implementing the new SCCs in more detail in a Blogpost.
- SalesforceSalesforce customers from the EEA and Switzerland generally conclude their contracts with the Irish subsidiary “Salesforce Ireland”. Depending on which products are purchased, data transfers to the US-based salesforce.com, Inc. (“Salesforce Inc.”), or accesses may be made from Salesforce Inc. However, Salesforce is taking a different approach than Google and Microsoft: according to the new Data Processing Addendum (“DPA”), the SCC are agreed directly between the customer and Salesforce Inc. Salesforce consequently offers Module 2 of the new SCC to customers who are data protection controllers. Primarily, Module 2 was developed for the conclusion between data controller and order processor. The use in the relationship between data controller and Atorder processor is nevertheless not inadmissible and corresponds to the practice under the old SCC.
Comparison with the situation before application of the new SCC
Module 3 of the new SCC allows providers to use SCC in the contractual relationship in which the relevant data transfer to be secured by SCC takes place. Under the “old” SCC, which strictly speaking only covered the constellation of EEA controller as data exporter and third country processor as data importer (and not the relationship between processors and sub-processors), the SCC were therefore partly concluded directly between controller and sub-processor, as is still handled by Salesforce today.
As a result of the Schrems II ruling of the European Court of Justice (“ECJ”), many data controllers then had to deal with the question of whether (especially taking into account the question of how likely it is that authorities in the recipient country will access the transferred data) contractual, technical and/or organizational measures must be taken in addition to these “old” SCCs in order to ensure an adequate level of data protection (“Transfer Impact Assessment” or “TIA” for short).
The ECJ’s considerations that a generic use of SCCs depending on local law in the recipient country may not be sufficient are therefore reflected in the new SCCs. Clause 14 provides for an assurance by the parties to the SCC that they have no reason to believe that local law in the recipient country (and legal practice there) prevents the data importer from fulfilling its obligations under the SCC. This assurance requires a TIA between the parties.
Consequences for Responsible Parties in the EEA and Switzerland: Transfer Impact Assessment?
If the SCCs are concluded between the CH/EEA processor and the third country sub-processor (and the controller is consequently not a party to the SCCs), the question arises whether the controller can rely on its processor to carry out a TIA and take additional measures if necessary. Or does the responsible party remain obligated to conduct the audit itself even in these cases?
The answer to this question must be based on the principles of data protection law. The transfer of personal data abroad should not lower the protection of personal data. The norm addressees of the regulations concerning the transfer of personal data abroad are therefore the responsible parties and Order processor (Art. 44 ff. DSGVO, Art. 6 DSG).
However, the obligation to provide appropriate safeguards in the event that the recipient country does not offer an adequate level of data protection is incumbent on the dataexporter (Art. 46 para. 1 DSGVO and Art. 6 DSG). This speaks prima facie that the controller is not subject to any verification obligations in the event of an “onward transfer” between its processor and its sub-processor.
However, such a view does not go far enough. Art. 6 DPA or Art. 46 (1) GDPR do not exempt from compliance with the other provisions of data protection law. This includes the obligation to ensure that the commissioned processor only processes the personal data as the controller itself would be permitted to do (Art. 10a DSG; Art. 28 DSGVO). When delegating tasks to the order processor, the controller must therefore carefully select the order processor and ensure through instructions and verification that the provisions of data protection law are complied with. Otherwise, the delegator could simply dispense with his legal obligations by means of delegation.
Requiring the controller to conduct a comprehensive transfer impact assessment in the event of an “onward transfer” by the order processor to an insecure third country would therefore be too far-reaching. However, the responsible party can only instruct and check the order processor appropriately with regard to compliance with data protection if it has an overview of the data flows. In addition, only the controller knows which personal data are transmitted in detail, for which purposes they are processed, and whether special risks arise from the context of the processing. The controller may therefore not leave the assessment of the data protection risk in a specific case exclusively to the processor.
Accordingly, data controllers should also strive for data protection compliance in downstream onward transfers of personal data. he following steps can serve as indications for a “best practice” approach:
- Trace data flows and verify which subcontractors have access to personal data;
- Evaluate what contractual or other safeguards exist between the EEA/CH Order Processor and recipients in unsafe third countries;
- Examination of data protection risks based on actual circumstances (e.g., transmission of sensitive health data or investigative content, known access by authorities to certain providers);
- Checking whether any risks can be minimized by additional optional technical measures provided by the provider (“enhanced customer controls” that are not already preset) or whether further technical/organizational measures need to be taken;
- Document appropriate considerations and review the risk assessment at regular intervals.
Especially for Swiss managers: Do the SCCs have to be provided with a “Swiss Finish”?
If a controller follows the above “best practice” recommendations and considers contractual or other safeguards between order processors and subcontracted processors, the question arises whether these SCCs need to be provided with a “Swiss Finish”, i.e. with adaptations that take into account Swiss data protection law.
The FDPIC has a clear position on this. In its Working paper from August 27, 2021 the SCC is only recognized on condition that “the necessary adjustments and additions are made for use under Swiss data protection law” (we reported). The FDPIC considers it “necessary” in this sense to clarify, for example, that the term “Member State” (also) means Switzerland.
In the view expressed here, the adjustments proposed by the FDPIC are strictly speaking not “necessary” (in the sense of legally mandatory), since the corresponding contents already result from legal and contractual principles:
- According to the working paper, the “competent supervisory authority in Annex I.C pursuant to clause 13” of the SCC should (at least also) be the FDPIC. However, the competence of the FDPIC, unlike a jurisdiction agreement, cannot be established by contract. Rather, the local jurisdiction and the powers of the FDPIC are based on the principle of legality under the DPA. Under the current FADP, the FDPIC can only exercise supervision over those matters that are in Switzerland occur. With regard to data transfers abroad (Art. 6 FADP), the supervision of the FDPIC in principle only extends to data transfers from Switzerland. In the case of onward transfers (e.g., from an EU sub-processor to a US sub-processor), the FDPIC could, if necessary, take (limited under the current DPA) measures against a data controller located in Switzerland (cf. Art. 29(1)(c) DPA and Art. 31(1)(e) DPA). Under the old law, an adaptation of Annex I.C is therefore superfluous, but under the revised law it is obsolete: the revised FADP is applicable to all situations that occur in Switzerland. impact (Art. 3 revDSG) and the supervision of the FDPIC extends to all breaches of data protection law (Art. 49 para. 1 revDSG). Either way, the addition of the FDPIC as a supervisory authority is therefore not legally mandatory. However, it could – from the perspective of the FDPIC – bring relief if clause 13(b) of the SCC is understood as a provision in the sense of a genuine contract in favor of third parties. The FDPIC could then take direct action against the data importer on the basis of the contractual agreement between the parties, instead of having to take the official and legal assistance route.
- According to the requirements of the FDPIC, the SCC must be further supplemented with an appendix according to which the GDPR references are to be understood as such to the DPA (insofar as the data transfers are subject to the DPA) and “the term ‘Member State’ may not be interpreted in such a way that data subjects in Switzerland are excluded from the possibility to sue for their rights in their habitual place of residence (Switzerland) pursuant to clause 18 c”.
If, however, the SCC are used to (also) secure data transfers under the DPA and to protect the rights of data subjects in Switzerland, the same would be achieved even without this explicit clarification.
- From the perspective of the FDPIC, either “Swiss law or the law of a country that permits and grants rights as a third-party beneficiary” must be chosen as the applicable law. Compared to the unchanged SCC, this already does not represent an adjustment, since clause 17 of the SCC already prescribes a corresponding choice of law. The fact that clause 17 refers to an EU member state in this respect does not do any harm, since the true intention of the parties is decisive.
- Finally, the FDPIC calls for adjustments to include the protection of data of legal entities until the DPA enters into force. In many cases, this will hardly be justifiable. Foreign legal systems often contain provisions for the protection of data of legal entities, e.g., through secrecy provisions, the law of fair dealing or copyright law. The fact that, in view of this, there is no need for additional protection under data protection law is finally also confirmed by the revDSG, which is now only applicable to personal data of natural persons.
Although the adaptations proposed by the FDPIC are not legally mandatory, it is nevertheless advisable to follow them for transfers out of Switzerland for other reasons. The FDPIC has recognized the SCCs only subject to the adjustments it has proposed. If the SCC are concluded in unchanged form, they must therefore be submitted to the FDPIC before they are used – under both the DPA and the revDSG. The intentional violation of this obligation is subject to a fine (Art. 34 para. 2 lit. a FADP, Art. 61 lit. a revDSG).
In the constellations of onward transfers described above, it does not appear necessary to require a “Swiss Finish” from (sub)contract processors or to pass it on in the contractual chain. Thus, the FDPIC refers in its working paper of August 27, 2021 correctly points out that the SCC refer to “data transfers from Switzerland to a third country pursuant to Art. 6 (2) (a) FADP” without referring to any onward transfers. Art. 6 para. 2 lit. a FADP only covers direct transfers from Switzerland to an unsafe third country. If, as in the constellations described above, personal data is first transferred to a secure country and then from there to an insecure country, the FADP only applies to the first transfer. This first transfer is permissible under Art. 6(1) DPA, since the protection in the destination country is recognized as adequate (indisputably at least insofar as the personal data of natural persons are concerned). The exporter may therefore rely (within the framework of his previously described obligations) on the fact that the law in the country of destination also provides for the necessary measures for further export to unsafe third countries. Even under the new SCC, this cannot go so far as to require identical protection, as otherwise the practical benefits of adequacy decisions would again be undermined. If order processors in the constellations outlined above use the SCC without “Swiss Finish”, this therefore does not prevent the transfer from being permissible from our perspective.