The Standard Contractual Clauses (“SCCs”) are aimed at ensuring appropriate data protection safeguards for international personal data transfers. Therefore, both the controller or processor who transfers the data to a third country and the party who receives such data can include the SCCs in a wider agreement, as well as to add additional safeguards provided that they do not contradict the SCCs.
These new SCCs, currently open for public consultation, come up as a much-awaited update of the existing ones (published in 2001 and 2010), which had become to some extent obsolete, adjusting them to the new requirements of the General Data Protection Regulation and the recent guidance documents issued by the relevant supervisory authorities.
The new SCCs do not only cover data transfers from controllers to processors, but also from controllers to controllers, processors to controllers and processors to sub processors. In any case, both the importer and the exporter of the data should be able to demonstrate compliance with the SCCs at any time.
In this respect, as part of their accountability duty, in order to ensure effective enforcement, the data importer should: (i) agree to respond to inquiries, submit to audits and comply with the measures adopted by the supervisory authority, (ii) keep appropriate documentation for the processing activities under its responsibility, and (iii) inform the data exporter if it is unable to comply with the SCCs. In this latter case, the data exporter should: (i) suspend the transfer or even terminate the agreement where the data importer is unable to comply with the SCCs and (ii) identify appropriate measures to address the situation, which may include technical or organisational supplementary measures to ensure security and confidentiality.
Another relevant takeaway is that parties shall deal with any inquiries and requests they receive from individuals to the processing of their personal data and the exercise of their rights under the SCCs.
The new SCCs emphasis the compliance with the data protection principles set out in the EU General Data Protection Regulation. In particular, accuracy, data minimisation and data storage play an important role as well as the security of the data that is transferred, especially in relation to special category data.
It is important to point out that parties must be aware that the transfer and processing of personal data under SCCs should only take place if the laws of the third country of destination do not prevent the data importer from complying with them. In these cases, the data exporter should assess and determine if additional safeguards can be implemented as described in the recent recommendations on supplementary measures for international data transfers by the European Data Protection Board.
Finally, organisations have a grace period of one year from the date of entry into force of this European Commission Decision; meanwhile organisations can continue to rely on the SCCs set out in the previous Decisions 2001/497/EC and 2010/87/EU, with the exception of necessary supplementary measures to ensure the transfers are subject to the safeguards that Article 46 of GDPR requires.
Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries