On 12 November 2020 the European Commission published the new standard contractual clauses (SCCs) on data transfer (model clauses), which would replace clauses C2C and C2P under Commission decisions issued under the European Data Protection Directive. The bill subjects international transfers to significantly stricter administrative conditions in the light of the Schrems II decision. The draft act is open for feedback for 4 weeks. Feedback will be taken into account for finalising the initiative.
Key takeaways regarding the draft implementing decision and the SCCs include:
- the SCCs cover (i) controller-to-controller transfers, (ii) controller-to-processor transfers, (iii) processor-to-processor transfers and (iv) processor-to-controller transfers (in particular where the EU processor combines personal data received from the third-country controller with personal data collected in the EU).
- the general clauses impose stricter conditions and accountability requirements, notification and regulatory reporting obligations; in addition to the conclusion of the general clauses, the parties shall document, inter alia, an impact assessment on data transfers.
- controllers and processors should select the module clauses applicable to their situation and tailor their obligations under the SCCs to their corresponding roles and responsibilities in relation to the data processing at issue.
- controllers or processors may incorporate the SCCs into a broader contract and may include additional clauses or safeguards, provided that they do not contradict directly or indirectly the SCCs or prejudice data subjects’ fundamental rights or freedoms.
- controllers and processors may continue to rely on the existing SCCs during a transitional period of one year from the adoption of the new SCCs, provided that the contract remains unchanged, with the exception of the inclusion of necessary supplementary measures to ensure that the transfer of personal data is subject to appropriate safeguards.
The adoption process for the SCCs requires an opinion of the European Data Protection Board and the European Data Protection Supervisor, and the positive vote of EU Member States through the comitology procedure. The final SCCs are expected to be adopted in early 2021.
By Adrienn Megyesi, Partner, KCG Partners Law Firm