How Goog­le, Micro­soft and Sales­force are imple­men­ting the new SCC and what this means for mana­gers in the EEA and Switzerland

A con­tri­bu­ti­on from Lena Göt­zin­ger and Han­nes Meyle

As of Sep­tem­ber 27, 2021, the “new” stan­dard con­trac­tu­al clau­ses (“SCC”) published as of June 4, 2021, must gene­ral­ly be used for the trans­fer of per­so­nal data to count­ries out­side the EEA that do not offer an ade­qua­te level of data pro­tec­tion from the per­spec­ti­ve of the GDPR. A tran­si­ti­on peri­od for the con­tin­ued use of the “old” SCC exists only for pre­vious­ly con­clu­ded con­tracts, on con­di­ti­on that the pro­ce­s­sing that is the sub­ject of the con­tract does not chan­ge (we repor­ted).

The same applies to trans­fers of per­so­nal data from Switz­er­land to count­ries wit­hout an ade­qua­te level of data pro­tec­tion (nota bene: The tran­si­ti­on peri­od is some­what lon­ger in Switz­er­land). In the mean­ti­me, the FDPIC has appro­ved the SCC – sub­ject to a “Swiss Finish” (details hereand below) – are reco­gnized as suf­fi­ci­ent gua­ran­tees pur­su­ant to Art. 6 Par. 2 lit. a FADP.

Against this back­drop, many of the major (cloud) pro­vi­ders have now imple­men­ted the new SCC in their con­tract documents.

The models of Goog­le, Micro­soft and Salesforce

  • Goog­le CloudFor Goog­le Cloud Ser­vices cus­to­mers loca­ted in the EEA or Switz­er­land (and who have pro­vi­ded Goog­le with an appro­pria­te bil­ling address), a Goog­le com­pa­ny also loca­ted in the EEA or Switz­er­land (“Goog­le Euro­pe”) acts as a con­trac­tu­al part­ner. Trans­fers of per­so­nal data bet­ween the cus­to­mer and Goog­le Euro­pe the­r­e­fo­re take place bet­ween count­ries with an ade­qua­te level of data pro­tec­tion and do not requi­re SCC pro­tec­tion. Howe­ver, depen­ding on the pro­ducts sel­ec­ted in each case, per­so­nal data may also be acce­s­sed from out­side the EEA or Switz­er­land, e.g. by the US com­pa­ny Goog­le Inc. For such “onward trans­fers” to count­ries wit­hout an ade­qua­te level of data pro­tec­tion, Goog­le Euro­pe enters into Modu­le 3 of the new SCC with the rele­vant data reci­pi­en­ts. This modu­le covers the situa­ti­on bet­ween a pro­ces­sor as data export­er (here: Goog­le Euro­pe) and its sub-pro­ces­sor as data importer (here: e.g. Goog­le Inc.). The con­cre­te SCC agreed upon by Goog­le are available on the Goog­le web­site. The upstream trans­fer of data from cus­to­mers to Goog­le Euro­pe is con­trol­led by the Data Pro­ce­s­sing Terms covered.
    This expli­ci­t­ly inclu­des the case whe­re the cus­to­mer is loca­ted in Switz­er­land as a data con­trol­ler (see the defi­ni­ti­on of “Ade­qua­te Coun­try”, “super­vi­so­ry aut­ho­ri­ty” and “Euro­pean Data Pro­tec­tion Law”). Goog­le explains its approach to the imple­men­ta­ti­on of the new SCCs in more detail in this White­pa­per.
  • Micro­softFor cus­to­mers of Micro­soft pro­ducts and ser­vices from the EEA or Switz­er­land, the con­tract part­ner is usual­ly the Irish Micro­soft com­pa­ny, Micro­soft Ire­land Ope­ra­ti­ons Limi­t­ed (“MIOL”). In some cir­cum­stances, Micro­soft uses the US-based Micro­soft Cor­po­ra­ti­on as a sub­con­trac­ted pro­ces­sor. For the imple­men­ta­ti­on of the new SCC, Micro­soft the­r­e­fo­re choo­ses a simi­lar path as Goog­le, in that MIOL con­clu­des Modu­le 3 of the new SCC with Micro­soft Cor­po­ra­ti­on (cf. the Data Pro­tec­tion Adden­dum). Cus­to­mers in Switz­er­land should ensu­re that Amend­ment ID M329 (“Amend­ment for Switz­er­land regar­ding Micro­soft Pro­ducts and Ser­vices Data Pro­tec­tion Adden­dum”) – which is only acce­s­si­ble to cus­to­mers – is inclu­ded. Only then is it con­trac­tual­ly assu­red that the new SCC (instead of (also) the “old” SCC from 2010) apply.
    Micro­soft explains its approach to imple­men­ting the new SCCs in more detail in a Blog­post.
  • Sales­forceSales­force cus­to­mers from the EEA and Switz­er­land gene­ral­ly con­clude their con­tracts with the Irish sub­si­dia­ry “Sales­force Ire­land”. Depen­ding on which pro­ducts are purcha­sed, data trans­fers to the US-based, Inc. (“Sales­force Inc.”), or acce­s­ses may be made from Sales­force Inc. Howe­ver, Sales­force is taking a dif­fe­rent approach than Goog­le and Micro­soft: accor­ding to the new Data Pro­ce­s­sing Adden­dum (“DPA”), the SCC are agreed direct­ly bet­ween the cus­to­mer and Sales­force Inc. Sales­force con­se­quent­ly offers Modu­le 2 of the new SCC to cus­to­mers who are data pro­tec­tion con­trol­lers. Pri­ma­ri­ly, Modu­le 2 was deve­lo­ped for the con­clu­si­on bet­ween data con­trol­ler and order pro­ces­sor. The use in the rela­ti­on­ship bet­ween data con­trol­ler and Atorder pro­ces­sor is nevert­hel­ess not inad­mis­si­ble and cor­re­sponds to the prac­ti­ce under the old SCC.

Com­pa­ri­son with the situa­ti­on befo­re appli­ca­ti­on of the new SCC

Modu­le 3 of the new SCC allo­ws pro­vi­ders to use SCC in the con­trac­tu­al rela­ti­on­ship in which the rele­vant data trans­fer to be secu­red by SCC takes place. Under the “old” SCC, which strict­ly spea­king only cover­ed the con­stel­la­ti­on of EEA con­trol­ler as data export­er and third coun­try pro­ces­sor as data importer (and not the rela­ti­on­ship bet­ween pro­ces­sors and sub-pro­ces­sors), the SCC were the­r­e­fo­re part­ly con­clu­ded direct­ly bet­ween con­trol­ler and sub-pro­ces­sor, as is still hand­led by Sales­force today.

As a result of the Schrems II ruling of the Euro­pean Court of Justi­ce (“ECJ”), many data con­trol­lers then had to deal with the que­sti­on of whe­ther (espe­ci­al­ly taking into account the que­sti­on of how likely it is that aut­ho­ri­ties in the reci­pi­ent coun­try will access the trans­fer­red data) con­trac­tu­al, tech­ni­cal and/or orga­nizatio­nal mea­su­res must be taken in addi­ti­on to the­se “old” SCCs in order to ensu­re an ade­qua­te level of data pro­tec­tion (“Trans­fer Impact Assess­ment” or “TIA” for short).

The ECJ’s con­side­ra­ti­ons that a gene­ric use of SCCs depen­ding on local law in the reci­pi­ent coun­try may not be suf­fi­ci­ent are the­r­e­fo­re reflec­ted in the new SCCs. Clau­se 14 pro­vi­des for an assu­rance by the par­ties to the SCC that they have no rea­son to belie­ve that local law in the reci­pi­ent coun­try (and legal prac­ti­ce the­re) pre­vents the data importer from ful­fil­ling its obli­ga­ti­ons under the SCC. This assu­rance requi­res a TIA bet­ween the parties.

Con­se­quen­ces for Respon­si­ble Par­ties in the EEA and Switz­er­land: Trans­fer Impact Assessment?

If the SCCs are con­clu­ded bet­ween the CH/EEA pro­ces­sor and the third coun­try sub-pro­ces­sor (and the con­trol­ler is con­se­quent­ly not a par­ty to the SCCs), the que­sti­on ari­ses whe­ther the con­trol­ler can rely on its pro­ces­sor to car­ry out a TIA and take addi­tio­nal mea­su­res if neces­sa­ry. Or does the respon­si­ble par­ty remain obli­ga­ted to con­duct the audit its­elf even in the­se cases?

The ans­wer to this que­sti­on must be based on the prin­ci­ples of data pro­tec­tion law. The trans­fer of per­so­nal data abroad should not lower the pro­tec­tion of per­so­nal data. The norm addres­sees of the regu­la­ti­ons con­cer­ning the trans­fer of per­so­nal data abroad are the­r­e­fo­re the respon­si­ble par­ties and Order pro­ces­sor (Art. 44 ff. DSGVO, Art. 6 DSG).

Howe­ver, the obli­ga­ti­on to pro­vi­de appro­pria­te safe­guards in the event that the reci­pi­ent coun­try does not offer an ade­qua­te level of data pro­tec­tion is incum­bent on the dataexport­er (Art. 46 para. 1 DSGVO and Art. 6 DSG). This speaks pri­ma facie that the con­trol­ler is not sub­ject to any veri­fi­ca­ti­on obli­ga­ti­ons in the event of an “onward trans­fer” bet­ween its pro­ces­sor and its sub-processor.

Howe­ver, such a view does not go far enough. Art. 6 DPA or Art. 46 (1) GDPR do not exempt from com­pli­ance with the other pro­vi­si­ons of data pro­tec­tion law. This inclu­des the obli­ga­ti­on to ensu­re that the com­mis­sio­ned pro­ces­sor only pro­ce­s­ses the per­so­nal data as the con­trol­ler its­elf would be per­mit­ted to do (Art. 10a DSG; Art. 28 DSGVO). When dele­ga­ting tasks to the order pro­ces­sor, the con­trol­ler must the­r­e­fo­re careful­ly sel­ect the order pro­ces­sor and ensu­re through ins­truc­tions and veri­fi­ca­ti­on that the pro­vi­si­ons of data pro­tec­tion law are com­plied with. Other­wi­se, the dele­ga­tor could sim­ply dis­pen­se with his legal obli­ga­ti­ons by means of delegation.

Requi­ring the con­trol­ler to con­duct a com­pre­hen­si­ve trans­fer impact assess­ment in the event of an “onward trans­fer” by the order pro­ces­sor to an inse­cu­re third coun­try would the­r­e­fo­re be too far-rea­ching. Howe­ver, the respon­si­ble par­ty can only ins­truct and check the order pro­ces­sor appro­pria­te­ly with regard to com­pli­ance with data pro­tec­tion if it has an over­view of the data flows. In addi­ti­on, only the con­trol­ler knows which per­so­nal data are trans­mit­ted in detail, for which pur­po­ses they are pro­ce­s­sed, and whe­ther spe­cial risks ari­se from the con­text of the pro­ce­s­sing. The con­trol­ler may the­r­e­fo­re not lea­ve the assess­ment of the data pro­tec­tion risk in a spe­ci­fic case exclu­si­ve­ly to the processor.

Accor­din­gly, data con­trol­lers should also stri­ve for data pro­tec­tion com­pli­ance in down­stream onward trans­fers of per­so­nal data. he fol­lo­wing steps can ser­ve as indi­ca­ti­ons for a “best prac­ti­ce” approach:

  • Trace data flows and veri­fy which sub­con­trac­tors have access to per­so­nal data;
  • Eva­lua­te what con­trac­tu­al or other safe­guards exist bet­ween the EEA/CH Order Pro­ces­sor and reci­pi­en­ts in unsafe third countries;
  • Exami­na­ti­on of data pro­tec­tion risks based on actu­al cir­cum­stances (e.g., trans­mis­si­on of sen­si­ti­ve health data or inve­sti­ga­ti­ve con­tent, known access by aut­ho­ri­ties to cer­tain providers);
  • Checking whe­ther any risks can be mini­mi­zed by addi­tio­nal optio­nal tech­ni­cal mea­su­res pro­vi­ded by the pro­vi­der (“enhan­ced cus­to­mer con­trols” that are not alre­a­dy pre­set) or whe­ther fur­ther technical/organizational mea­su­res need to be taken;
  • Docu­ment appro­pria­te con­side­ra­ti­ons and review the risk assess­ment at regu­lar intervals.

Espe­ci­al­ly for Swiss mana­gers: Do the SCCs have to be pro­vi­ded with a “Swiss Finish”?

If a con­trol­ler fol­lows the abo­ve “best prac­ti­ce” recom­men­da­ti­ons and con­siders con­trac­tu­al or other safe­guards bet­ween order pro­ces­sors and sub­con­trac­ted pro­ces­sors, the que­sti­on ari­ses whe­ther the­se SCCs need to be pro­vi­ded with a “Swiss Finish”, i.e. with adap­t­ati­ons that take into account Swiss data pro­tec­tion law.

The FDPIC has a clear posi­ti­on on this. In its Working paper from August 27, 2021 the SCC is only reco­gnized on con­di­ti­on that “the neces­sa­ry adjust­ments and addi­ti­ons are made for use under Swiss data pro­tec­tion law” (we repor­ted). The FDPIC con­siders it “neces­sa­ry” in this sen­se to cla­ri­fy, for exam­p­le, that the term “Mem­ber Sta­te” (also) means Switzerland.

In the view expres­sed here, the adjust­ments pro­po­sed by the FDPIC are strict­ly spea­king not “neces­sa­ry” (in the sen­se of legal­ly man­da­to­ry), sin­ce the cor­re­spon­ding con­tents alre­a­dy result from legal and con­trac­tu­al principles:

  • Accor­ding to the working paper, the “com­pe­tent super­vi­so­ry aut­ho­ri­ty in Annex I.C pur­su­ant to clau­se 13” of the SCC should (at least also) be the FDPIC. Howe­ver, the com­pe­tence of the FDPIC, unli­ke a juris­dic­tion agree­ment, can­not be estab­lished by con­tract. Rather, the local juris­dic­tion and the powers of the FDPIC are based on the prin­ci­ple of lega­li­ty under the DPA. Under the cur­rent FADP, the FDPIC can only exer­cise super­vi­si­on over tho­se mat­ters that are in Switz­er­land occur. With regard to data trans­fers abroad (Art. 6 FADP), the super­vi­si­on of the FDPIC in prin­ci­ple only extends to data trans­fers from Switz­er­land. In the case of onward trans­fers (e.g., from an EU sub-pro­ces­sor to a US sub-pro­ces­sor), the FDPIC could, if neces­sa­ry, take (limi­t­ed under the cur­rent DPA) mea­su­res against a data con­trol­ler loca­ted in Switz­er­land (cf. Art. 29(1)(c) DPA and Art. 31(1)(e) DPA). Under the old law, an adap­t­ati­on of Annex I.C is the­r­e­fo­re super­fluous, but under the revi­sed law it is obso­le­te: the revi­sed FADP is appli­ca­ble to all situa­tions that occur in Switz­er­land. impact (Art. 3 revDSG) and the super­vi­si­on of the FDPIC extends to all brea­ches of data pro­tec­tion law (Art. 49 para. 1 revDSG). Eit­her way, the addi­ti­on of the FDPIC as a super­vi­so­ry aut­ho­ri­ty is the­r­e­fo­re not legal­ly man­da­to­ry. Howe­ver, it could – from the per­spec­ti­ve of the FDPIC – bring reli­ef if clau­se 13(b) of the SCC is under­s­tood as a pro­vi­si­on in the sen­se of a genui­ne con­tract in favor of third par­ties. The FDPIC could then take direct action against the data importer on the basis of the con­trac­tu­al agree­ment bet­ween the par­ties, instead of having to take the offi­ci­al and legal assi­stance route.
  • Accor­ding to the requi­re­ments of the FDPIC, the SCC must be fur­ther sup­ple­men­ted with an appen­dix accor­ding to which the GDPR refe­ren­ces are to be under­s­tood as such to the DPA (inso­far as the data trans­fers are sub­ject to the DPA) and “the term ‘Mem­ber Sta­te’ may not be inter­pre­ted in such a way that data sub­jects in Switz­er­land are exclu­ded from the pos­si­bi­li­ty to sue for their rights in their habi­tu­al place of resi­dence (Switz­er­land) pur­su­ant to clau­se 18 c”.
    If, howe­ver, the SCC are used to (also) secu­re data trans­fers under the DPA and to pro­tect the rights of data sub­jects in Switz­er­land, the same would be achie­ved even wit­hout this expli­cit clarification.
  • From the per­spec­ti­ve of the FDPIC, eit­her “Swiss law or the law of a coun­try that per­mits and grants rights as a third-par­ty bene­fi­ci­a­ry” must be cho­sen as the appli­ca­ble law. Com­pared to the unch­an­ged SCC, this alre­a­dy does not repre­sent an adjust­ment, sin­ce clau­se 17 of the SCC alre­a­dy pre­scri­bes a cor­re­spon­ding choice of law. The fact that clau­se 17 refers to an EU mem­ber sta­te in this respect does not do any harm, sin­ce the true inten­ti­on of the par­ties is decisive.
  • Final­ly, the FDPIC calls for adjust­ments to include the pro­tec­tion of data of legal enti­ties until the DPA enters into force. In many cases, this will hard­ly be justi­fia­ble. For­eign legal systems often con­tain pro­vi­si­ons for the pro­tec­tion of data of legal enti­ties, e.g., through sec­re­cy pro­vi­si­ons, the law of fair deal­ing or copy­right law. The fact that, in view of this, the­re is no need for addi­tio­nal pro­tec­tion under data pro­tec­tion law is final­ly also con­firm­ed by the revDSG, which is now only appli­ca­ble to per­so­nal data of natu­ral persons.

Alt­hough the adap­t­ati­ons pro­po­sed by the FDPIC are not legal­ly man­da­to­ry, it is nevert­hel­ess advi­sa­ble to fol­low them for trans­fers out of Switz­er­land for other rea­sons. The FDPIC has reco­gnized the SCCs only sub­ject to the adjust­ments it has pro­po­sed. If the SCC are con­clu­ded in unch­an­ged form, they must the­r­e­fo­re be sub­mit­ted to the FDPIC befo­re they are used – under both the DPA and the revDSG. The inten­tio­nal vio­la­ti­on of this obli­ga­ti­on is sub­ject to a fine (Art. 34 para. 2 lit. a FADP, Art. 61 lit. a revDSG).

In the con­stel­la­ti­ons of onward trans­fers descri­bed abo­ve, it does not appear neces­sa­ry to requi­re a “Swiss Finish” from (sub)contract pro­ces­sors or to pass it on in the con­trac­tu­al chain. Thus, the FDPIC refers in its working paper of August 27, 2021 cor­rect­ly points out that the SCC refer to “data trans­fers from Switz­er­land to a third coun­try pur­su­ant to Art. 6 (2) (a) FADP” wit­hout refer­ring to any onward trans­fers. Art. 6 para. 2 lit. a FADP only covers direct trans­fers from Switz­er­land to an unsafe third coun­try. If, as in the con­stel­la­ti­ons descri­bed abo­ve, per­so­nal data is first trans­fer­red to a secu­re coun­try and then from the­re to an inse­cu­re coun­try, the FADP only applies to the first trans­fer. This first trans­fer is per­mis­si­ble under Art. 6(1) DPA, sin­ce the pro­tec­tion in the desti­na­ti­on coun­try is reco­gnized as ade­qua­te (indis­pu­ta­b­ly at least inso­far as the per­so­nal data of natu­ral per­sons are con­cer­ned). The export­er may the­r­e­fo­re rely (within the frame­work of his pre­vious­ly descri­bed obli­ga­ti­ons) on the fact that the law in the coun­try of desti­na­ti­on also pro­vi­des for the neces­sa­ry mea­su­res for fur­ther export to unsafe third count­ries. Even under the new SCC, this can­not go so far as to requi­re iden­ti­cal pro­tec­tion, as other­wi­se the prac­ti­cal bene­fits of ade­qua­cy decis­i­ons would again be under­mi­ned. If order pro­ces­sors in the con­stel­la­ti­ons out­lined abo­ve use the SCC wit­hout “Swiss Finish”, this the­r­e­fo­re does not pre­vent the trans­fer from being per­mis­si­ble from our perspective.




Rela­ted articles