The cross-border transfer of personal data is a phenomenon without which international business cannot perform, and is common not only in global platforms such as SaaS[1] solutions, but also in the in-house data management of multinational corporations within shared systems (CRM, HR, etc.).
In general
Most contracts regulating or relating to the transfer of personal data outside the EU or EEA have worked with so-called Standard Contractual Clauses approved by the European Commission as a contractual instrument to ensure adequate protection of the transferred personal data.
What the Standard Contractual Clauses are?
Within the European Union the freedom of movement of personal data applies. However, if EU data controllers or processors want to transfer personal data to third countries which have not been recognized by the EU as providing adequate protection (recognized countries include Japan or the UK), before transferring personal data to such a country, the EU controller or processor must either (i) enter into a contract with the recipient of the personal data in the third country containing Standard Contractual Clauses, (ii) adopt binding corporate rules with the recipient to ensure adequate protection of the personal data transferred, or (iii) use and contractually embed its own contractual clauses with the recipient to ensure adequate protection of the personal data transferred.
Standard Contractual Clauses are one of the most widely used tools to create appropriate safeguards for the protection of personal data transfers to third countries outside the EU.
Standard Contractual Clauses are a model text of a contract for the processing of personal data concluded between controller or processor of personal data (the so-called data exporter) and a recipient of personal data in a third country (the so-called data importer). This text can be incorporated into another contract or terms and conditions or used as a stand-alone contract text.
New Standard Contractual Clauses
However, in June 2021, with effect from 27 June 2021, in response to case law, the European Commission adopted a new version of the Standard Contractual Clauses for personal data transfer from the EU with a different structure, which should now cover personal data transfers in a more comprehensive way. The new Standard Contractual Clauses replace the previous ones from 2010.
The new Standard Contractual Clauses not only implement the requirements of the General Data Protection Regulation (GDPR) but in particular respond to the CJEU’s ruling in Schrems II[2], which questioned the reliability of the original Standard Contractual Clauses and invalidated the EU-US Privacy Shield.
The new Standard Contractual Clauses combine general provisions with a modular approach. This means that they consist of (i) fixed provisions that cannot be changed, (ii) modules to be added or removed from the contract depending on the parties, and (iii) headed provisions to be added by the parties (e.g. categories of personal data to be transferred).
While the original Standard Contractual Clauses only distinguished between two types of personal data transfers (controller-processor and controller-controller), the new Standard Contractual Clauses introduce more flexibility and provide four modules for four types of potential data transfers: (i) controller-controller, (ii) controller-processor, (iii) processor-processor and (iv) processor-controller.
In addition, the new Standard Contractual Clauses introduce new institutes and arrangements such as so-called docking clauses, information obligations of the recipient of personal data towards the person transferring personal data, security or control obligations, or the possibility to choose the applicable law of any EU Member State.
What needs to be done now?
All new contracts concluded from 27 September 2021 onwards that involve the transfer of personal data will have to include new Standard Contractual Clauses.
As regards historical contracts concluded before 27 September 2021, that involve the transfer of personal data, these will have to replace the personal data transfer clauses with the new wording of the Standard Contractual Clauses by 27 December 2022, if they work with the original Standard Contractual Clauses.
Conclusion
Controllers and processors should check whether existing contracts for the processing or transfer of personal data comply with the requirements of the GDPR and the new Standard Contractual Clauses.
If the controller or processor fails to comply with these obligations, any transfer of data based on them will become unlawful, i.e. in breach of the GDPR. In addition to the risk of heavy fines from supervisory authorities, including foreign ones, they will also be liable for damages or other harm directly to the individuals concerned.
In case of any questions regarding this issue or current legislation, we are at your disposal. Please do not hesitate to contact us.
Mgr. Jakub Málek, partner – malek@plegal.cz
Kristýna Nguyenová, legal assistant – nguyenova@plegal.cz
15. 10. 2021
[1] Software as a Service
[2] the Court of Justice of the EU Judgment in Case C-311/18