Beware of new standard contractual clauses when transferring personal data outside the EU!
The European Commission has adopted two implementing regulations with significant impact on personal data processing. Effective from 27 June 2021, it is possible to use new standard contractual clauses for transferring personal data from the EU/EEA to third countries and new standard contractual clauses for contracts on personal data processing between controllers and processors. This further strengthens the protection of personal data, especially with respect to its processing in third countries.
Contractual clauses for personal data transfers from the EU to third countries
The new standard contractual clauses for transferring personal data from the EU/EEA to third countries are the first clauses of this kind adopted under the GDPR’s effectiveness, responding to the decision of the Court of Justice of the EU from July 2020 holding the EU-US Privacy Shield invalid, thus making any transfers of personal data to the USA more difficult. The contractual clauses should provide suitable guarantees for the transfer of personal data, respond to society’s shift towards digitalisation, ensure higher flexibility upon personal data transfers, and be easily available to a greater number of persons.
The clauses interconnect the general provisions with individual scenarios (modules) for transferring personal data between third-country controllers and processors who may choose the scenario (from the outlined ones) that suits them best in a particular case (personal data transferred between two controllers, a controller and a processor, a processor and a controller, or between two processors), giving them chance to adjust their duties accordingly for each particular case. Compared with the standard contractual clauses that have so far been in effect, the new contractual clauses take into account a greater number of possible scenarios, covering also situations when personal data are transferred from the EU/EEA processors to third-country controllers or between a number of processors.
The new standard contractual clauses may be used from 27 June 2021; the existing clauses can be relied upon in certain personal data transfer cases until 27 December 2022. However, we recommend starting to update contracts with suppliers and customers containing these standard contractual clauses as soon as possible.
Clauses for personal data processing contracts
When transferring personal data within the EU and EEA, these new standard contractual clauses serve as templates for personal data processing contracts concluded between controllers and processors (potentially also other subsequent processors if chaining of processors is involved) in compliance with Article 28 (3 and 4) of the GDPR. The inclusion of these clauses in contracts shall mean the fulfilment of the GDPR’s requirements on personal data processing contracts while minimising the risk that personal data will be transferred to the processor without an existing or valid legal title.
Also allowing for the involvement of several persons, these clauses should mainly standardise the rights and duties of controllers and processors where personal data processing involves one or more processors. In their final effect, the clauses are meant to facilitate the existing process of entering into personal data processing contracts and, making it more efficient.
The new standard contractual clauses for personal data processing contracts can also be used from 27 June 2021. Considering the above, we recommend evaluating whether any existing personal data processing contracts meet GDPR requirements and, if they do not, making the necessary adjustments.