As of 27 September 2021, New Rules Apply to Contracts Involving Data Transfers Outside the EEA

27 Sep 2021

The new rules for data transfers will mostly impact vendor contracts for global services, such as SaaS solutions, cloud hosting services or various communication tools. Here is what you should know about them.

Most of the contracts involving transfers of personal data outside the EEA relied on so-called Standard Contractual Clauses adopted by the European Commission as a contractual instrument and safeguard. However, in June 2021, the European Commission adopted a new version of the Standard Contractual Clauses with a different structure that should now cover transfers of personal data in a more comprehensive way.

All new contracts that involve data transfers will have to include the new Standard Contractual Clauses. With respect to historical contracts, a grace period for ensuring that the old Standard Contractual Clauses are replaced with the new will end on 27 December 2022.

Standard Contractual Clauses for data transfers to non-EU countries

Under Article 46 of the GDPR, a controller or a processor may transfer personal data to a third country or an international organization strictly subject to appropriate safeguards. The Standard Contractual Clauses for data transfers adopted by the European Commission are one of the categories of such appropriate safeguards. Following the CJEU’s decision in the Schrems II case, the new set of the Standard Contractual Clauses for data transfers adopted by the European Commission should reflect the interpretation of the CJEU, provide additional safeguards with respect to potential access requests of third-country governments and overcome the gaps that resulted from the mechanism established by the old Standard Contractual Clauses for data transfers that were adopted on the basis of the repealed Directive 95/46/EC.

While the old Standard Contractual Clauses recognized only two types of data transfers (controller-to-controller and controller-to-processor), the new Standard Contractual Clauses provide more flexibility and provide four modules for four types of potential data transfers: (i) controller-to-controller, (ii) controller-to-processor, (iii) processor-to-processor and (iv) processor-to-controller. The parties, i.e., a data exporter and a data importer, should choose the appropriate module or modules which correspond to the types of data transfers that the parties intend to carry out.

When should a company execute the Standard Contractual Clauses?

The Standard Contractual Clauses for data transfers apply to transfers of personal data from EEA to third countries which have not been recognized as providing adequate protection (i.e., the European Commission has not issued an adequacy decision under Article 45 of the GDPR). Typically, transfers from EEA to the U.S.A. will require the execution of appropriate set(s) of SCCs. On the other hand, , if the transfer is between EEA countries or e.g., to the UK or Japan which are covered by adequacy decisions, the Standard Contractual Clauses will not be necessary.

It shall be noted that a so-called “onward transfer” of personal data belonging to EU citizens from one third country (e.g., China) to another third country (e.g., United States) will constitute a data transfer that is subject to Standard Contractual Clauses or other appropriate safeguards under Article 46 of the GDPR.

What news do the new Standard Contractual Clauses bring?

Docking clause. The Standard Contractual Clauses provide a mechanism based on which a party that is not a party to the executed Standard Contractual Clauses may subsequently accede at any time either as a data exporter or a data importer. This option may be beneficial especially with respect to intragroup transfers where affiliates may become involved in data processing activities at various times.

Assessment of local laws. Data importers are required to carry out and provide to data exporters an assessment of local laws in the jurisdiction of destination. When preparing such transfer assessment, data importers should particularly consider the Recommendations on supplementary measures issued by the European Data Protection Board. Furthermore, both parties warrant that they have no reason to believe that the local laws prevent the data importer from fulfilling its obligations under the Standard Contractual Clauses.

Responding to government requests. The Standard Contractual Clauses impose an obligation on data importers to promptly notify the data exporter of any request of a public authority requesting direct access to data exporter’s data. In cases where such notification of the data exporter is prohibited under the applicable local law, data importers are required to use best efforts to obtain a waiver of the prohibition.

When will the new Standard Contractual Clauses become applicable?

The new Standard Contractual Clauses for data transfers entered into force on 27 June 2021 and can therefore be used by data exporters and data importers if they choose to do so. The old Standard Contractual Clauses are, however, still valid and applicable. However, as of 27 September 2021, the old Standard Contractual Clauses can no longer be incorporated to new contracts.

With respect to historical contracts, data exporters will be able to rely on the already executed old Standard Contractual Clauses until 27 December 2022.

Data exporters should make sure to replace the Standard Contractual Clauses by 27 December 2022. Following this date, the contracts concluded under the old Standard Contractual Clauses will be no longer deemed to provide the appropriate safeguards within the meaning of Article 46(1) of GDPR.

Standard Contractual Clauses for processing between controllers and processors

In June 2021, the European Commission issued another set of Standard Contractual Clauses with the purpose to provide for a minimum contractual framework between a controller and a processor in order to comply with the requirements of Article 28 of the GDPR. The European Commission therefore provides a template for a data processing agreement (DPA), however, the parties are free to add other clauses or additional safeguards provided that they do not contradict the Standard Contractual Clauses drafted by the European Commission.

The second set of the Standard Contractual Clauses for processing mainly governs the relationships between controllers and processors established in EEA and cannot be used as an appropriate safeguard for data transfers to third countries.

The Standard Contractual Clauses for processing entered into force on 27 June 2021 and can be therefore already used by controllers and processors.

Download the SCCs: