Version as of June 2021
EU Standard Contractual Clauses GDPR
In June 2021, the European Commission published the new version of the EU Standard Contractual Clauses GDPR for the international transfer of personal data.
We provide you with an overview of the most important changes and advantages. The update affects all companies that work with service providers outside the European Economic Area, such as Microsoft, Google or Facebook. The content of the new version has been adapted to the GDPR, contains significant changes with regard to contractual relationships and order processing agreements, incorporates the decision of the European Court of Justice "Schrems II" and has a modular structure. The EU standard contractual clauses apply from 07 June 2021, which means that already concluded standard contractual clauses must be updated with a transition period of 18 months.
In the following article, you will learn what companies now have to observe and do. You will also find answers to the most frequently asked questions about the new EU standard contractual clauses.
Key information about the EU Standard Contractual Clauses
- at 07 June 2021 the new version of the EU standard contractual clauses was published by the European Commission
- The standard contractual clauses are abbreviated as "SCC"
- The main reason for updating the standard contractual clauses is the Content adjustment to the GDPR which came into force in 2018
- The standard contractual clauses are in the new version constructed modularly and include more scenarios for the data transfer between controllers, processors and sub-processors
- The EU standard contractual clauses are valid since 07 June, contract clauses concluded after this date must already contain the new requirements, for old contracts there is a Transition period of 18 months
Content on the subject of EU Standard Contractual Clauses:
The current EU Commission Implementing Decision on the standard contractual clauses for transfers of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council can be found on the Online portal for EU law EUR-Lex.
EU standard contractual clauses video: what businesses need to know now (only available in german)
What are the so-called EU standard contractual clauses of the GDPR?
In principle, the standard contractual clauses deal with the transfer of personal data outside the EU economic area, unless there is an adequacy decision for that country. The adequacy decision means that the level of data protection in a country outside the EU is the same as within the EU. This applies, for example, to Switzerland, Australia or Israel. If the level of data protection is below the European standard, it may be possible to conclude agreements that make data protection obligatory. One such contract is the EU standard contractual clauses, but also, for example, the Binding Corporate Rules. The EU standard contractual clauses have been designed by the EU Commission and may not be negatively undercut. If companies want to transfer personal data outside the EU to so-called third countries, they need standard contractual clauses to oblige the third country to align the processing of personal data with the EU level of data protection.
Background information on the EU standard contractual clauses GDPR
How long have standard contractual clauses been in place?
In 2001 and 2004 and 2010, respectively, the first standard contractual clauses were adopted, regulating the transfer of data between controllers and the transfer of data between controllers and processors. In early June 2021, the European Commission adopted a new edition of the standard contractual clauses.
Why were the new EU standard contract clauses adopted?
There were several reasons for updating the standard contractual clauses. The old standard contractual clauses still referenced the old Federal Data Protection Directive, which was replaced by the BDSG and later by the GDPR. In addition, when the GDPR came into force, it became clear that there were scenarios in the cooperation with service providers that were not fully provided for in the old standard contractual clauses. Thus, only the cooperation between controller and processor or between two controllers was regulated, but not cases such as subcontracting relationships in a third country. As a result, in addition to the standard contractual clauses, many companies need documents that have closed the gap on the processor. Since the entry into force of the GDPR in 2018, standard contractual clauses have almost always had an annex or an addendum, which can now be omitted with the new standard contractual clauses.
In addition, in July 2020, the ECJ declared the EU-US Privacy Shield invalid. The Privacy Shield previously regulated data transfers between the US and the EU and acted as a self-certification process for US companies. Privacy activist Max Schrems argued that US authorities would have access to the electronic communications of non-US citizens even under the Privacy Shield. Thus, the European Court of Justice found that the US does not ensure adequate data protection, which violates the fundamental rights of European citizens. This ruling has been incorporated into the new EU standard contractual clauses.
What are the advantages of the new EU standard contractual clauses?
- Adaptation to the GDPR : The old standard contractual clauses were adopted before the entry into force of the GDPR, an update to the contents of the GDPR was made with the new standard contractual clauses.
- Modular design and more processing scenarios: The new EU standard contractual clauses are modular and designed to cover a wider range of processing scenarios (including subcontracting).
- Replacement of the processing contracts: With the new EU standard contractual clauses, the requirements for processing contracts are covered at the same time. The only exception to this is the Section II Clause 8 Module four the new standard contractual clauses.
- EU standard contractual clauses take precedence: The standard contractual clauses take precedence over, for example, contradictory contractual clauses or general terms and conditions clauses, which are contained in Section 1 Clause 5 is regulated.
- The Schrems II ruling of the ECJ was taken into account: Further down in the article the changes are described in more detail, these changes are described in Section III Clauses 14 and 15 defined in the standard contractual clauses.
- Modular liability regulation: The new standard contractual clauses regulate in Clause 12 the liability of the contracting parties in modular liability clauses.
What has changed in the standard contractual clauses?
The previous standard contractual clauses only covered certain processing constellations, namely controller to controller and controller to processor. The new standard contractual clauses are modular and take into account the following situations:
- Data transfer between data controllers
- Data transfer between controller and processor
- Data transfer from processors to sub-processors
- Data transfer from processor to controller
Extended circle of possible data exporters
Another new feature is that processors can use the standard contractual clauses as data exporters. This results in the possibility that processors based within the EU can use subcontractors outside the EU.
Fulfilment of the obligations arising from Art. 28 GDPR
Prior analysis of possible risks in the country of destination
The Schrems II decision and the EDSA recommendation oblige companies to address the protection of personal data in third countries. Contractual partners must check the level of data protection and the legal provisions of the respective country to see whether they contradict the standard contractual clauses. This analysis must be documented and made available to the competent supervisory authority upon request.
Obligations of the data importer in the event of access to the data by public authorities
Data importers are required to notify data subjects when authorities can access the data exporter's data
It is also possible to conclude the standard contractual clauses between several parties. This provides more flexibility for companies because parties that are not already part of the concluded standard contractual clauses may join as data exporter or data importer at a later stage with the consent of the contracting parties.
Which modules are included in the EU standard contractual clauses?
- Module 1: Transmission from responsible persons to responsible persons
- Module 2: Transfer of responsible persons to processors
- New: no additional order processing contract required any more
- Module 3: Transfer of processors to (sub)processors
- New: Standard contractual clauses can only be used between two processors in the June 2021 version.
- New: No need to conclude a (subcontracting) processing contract.
- New: The responsible party as a contracting party must, however, be named in the standard contractual clauses.
- Module 4: Transfer of processors to controllers
- New: Standard contractual clauses can only be used in this way in the June 2021 version to cover cases where a company outside the EU engages a processor within the EU.
How are the standard contractual clauses agreed in practice?
Standard contractual clauses are usually provided by service providers in the form of individual contracts. Standard contractual clauses are mostly recorded as individual contracts when companies do not provide large scale services to EU customers. In certain cases, standard contractual clauses are also adapted as part of the T&Cs to allow large US providers to automatically conclude the clauses with the cooperation.
For responsible companies located in the European Economic Area, the first and most important step is a properly maintained data protection documentation:
- In the first step, a presentation of all processors and possible sub-processors in a list is necessary.
- This list is filtered by the external/internal data protection officer or data protection officer according to whether a data transfer to a third country takes place.
- For these cases, the standard contractual clauses need to be updated.
To what extent has the Schrems II ruling been taken into account?
The two most important innovations based on the "Schrems II" judgment can be seen in the access to data of EU citizens by public authorities in third countries and the case-by-case assessment of appropriate data protection measures when cooperating with companies in third countries.
- Data importers are obliged Requests from public authorities in third countriesthat contradict the requirements and security measures of the standard contractual clauses. They must prevent these entities, which are based in third countries, from accessing European citizens' data. Access to this data is now only possible through legal channels.
- Companies are obliged to "Transfer Risk Assessment" (TRA) or data transfer impact assessment. This case-by-case assessment ensures that the contractual partners in the third country are capable of complying with the obligations of the standard contractual clauses and guaranteeing the rights and freedoms of the data subjects.
When will the new standard contractual clauses apply?
The new EU standard contractual clauses were adopted by the EU Commission in June and are already in force, which means that the old contracts no longer apply as of today. However, the Transition period the adaptation to the new standard contractual clauses 18 months.
The standard contractual clauses provide a basis for data transfer and cooperation with companies in third countries without an adequacy decision. However, this basis is not one hundred percent legally secure in terms of data protection to ensure the protection of EU citizens' data. This is because the new EU standard contractual clauses still require a case-by-case assessment, which is the responsibility of the data exporter. The text of the contract and the actual level of data protection must be examined to ensure how adequate the data protection is.
In adapting the standard contractual clauses, responsible persons must address the following questions, among others.
- Check contract text: Have the correct standard contractual clauses been chosen and their content adapted? Are the annexes properly completed?
- Check level of data protection: Do the commitments comply with the appropriate level of data protection through e.g. pseudonymisation, EU server location encryption procedures? Is the risk of access to the data by US authorities prevented?
Privacy Review - The Podcast for Privacy Professionals
#16: EU Standard Contractual Clauses with lawyer Richard Bode (only available in german)
That's what the podcast is about:
In June 2021, the EU Commission published the new EU standard contractual clauses for data transfers to third countries. In the podcast, Prof. Dr. Andre Döring and lawyer Richard Bode provided information on the following points:
- Legally secure transfer of data outside the EU economic area
- Innovations and scope of the EU standard contractual clauses
- Entry into force, transitional periods and necessary activities
- Data transfer scenarios and complexity of processing chains
- Obligations of the data importer: Access of authorities to the data
- Obligation of the data exporter: case-by-case examination of the data importer
Conclusion and practical recommendation
With the new EU standard contractual clauses, companies get more flexibility in the design of data transfers to third countries. Nevertheless, companies must be aware that the new standard contractual clauses have become more time and resource intensive. This means that addressing data transfer to third countries is an ongoing task. Companies need to consider the circumstances of data protection in the relevant third countries and continually review and amend data protection contracts. The new standard contractual clauses are thus a good successful update, but also do not offer 100% legal certainty, because the case-by-case assessment of processing operations in third countries must still be evaluated by companies.