European Commission publishes new Standard Contractual Clauses
Today, the European Commission has issued modernised Standard Contractual Clauses (SCCs) under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). These modernised SCCs will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46.
According to the GDPR, contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. These new SCCs have been “pre-approved” by the European Commission.
The European Commission’s statement explains “the controller or processor transferring the personal data to a third country (the ‘data exporter’) and the controller or processor receiving the personal data (the ‘data importer’) are free to include those standard contractual clauses in a wider contract and to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects.”
An important aspect of the new flexible SCCs is that the Annex enables the parties to “combine the general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern processing chains. In addition to the general clauses, controllers and processors should select the module applicable to their situation, so as to tailor their obligations under the standard contractual clauses to their role and responsibilities in relation to the data processing in question.”
26 recitals explain how exporters and importers should use the new SCCs. The annexes give details for different scenarios and appropriate modules:
Data protection safeguards: Transfer controller to controller; Transfer controller to processor; Transfer processor to processor; Transfer processor to controller
Use of sub-processors: Transfer controller to processor; Transfer processor to processor
Data subject rights: Transfer controller to controller; Transfer controller to processor; Transfer processor to processor; Transfer processor to controller
Redress: Transfer controller to controller; Transfer controller to processor; Transfer processor to processor
Liability: Transfer controller to controller; Transfer processor to controller; Transfer controller to processor; Transfer processor to processor
Supervision: Transfer controller to controller; Transfer controller to processor; Transfer processor to processor
There are further sections on:
- Obligations in case of access by public authorities
- Non-compliance with the Clauses and termination
- Governing law
- Choice of forum and jurisdiction
- Wording to include in appended documents.
This decision will enter into force 20 days after publication in the Official Journal
See: