GDPR Updates You Can't Ignore: The New Standard Contractual Clauses in Detail

New EU standard contractual clauses (SCC): Safer Third Country Data Transfers?

Tick-tock... did you hear that? That was the sound of a deadline passing. On December 27, 2022, the EU's GDPR standard contractual clauses (SCC) became officially binding - a call to arms for businesses around the globe. Surprisingly, numerous companies, from small startups to large corporations, are yet to embrace these changes. Could this be you?

Adopted in June 2021, the new SCC brings with it a wave of transformation to our digital world, revolutionizing how we handle data transfers, especially across borders. If you're still on the sidelines or not entirely aware of what these changes imply, you're at the right place. This post is your wake-up call - a comprehensive guide to understanding these pivotal adjustments, their impact, and why it's time for your company to join the compliance bandwagon. Read on, for the world of GDPR is shifting, and the time to act is now! Let us help you with the fine print.

The clauses introduce significant changes:

  1. GDPR Update: the previous clauses were drafted before the GDPR was introduced. The new clauses feature updated language reflecting additional requirements of the EU GDPR, including the principles of data minimization, purpose limitation, and storage limitation.
  2. Adjustment to the Digital Economy: data transfers online come in more versions than previously conceived and are covered by standard contractual clauses, including different data transfer types (see below for more detail).
  3. All Data Processing: the new clauses no longer require a data processing agreement, according to article 28, GDPR. The new clauses can stand on their own and cover data transfers and all data processing. This could be a massive benefit to businesses using the new clauses as one contract to cover all aspects of processing.
  4. More extensive and detailed TOMs obligations: the new clauses contain more extensive and detailed requirements in the form of an implementation of appropriate technical and organizational measures ("TOMs") to protect personal data during data transfers.
  5. Accountability, transparency, and cooperation: the new clauses emphasize accountability and transparency, with requirements for data controllers and processors to maintain records of processing activities and to cooperate with supervising bodies.
  6. Some changes permitted: it has become easier to slightly adjust and integrate new standard contractual clauses as long as these changes do not reduce an adequate level of protection: "The parties may supplement the SCCs with additional clauses or incorporate them into a broader commercial contract, as long as the other contractual provisions do not contradict the SCCs, either directly or indirectly, or prejudice the rights of data subjects." (European Commission FAQ)
  7. Easier to add parties thanks to the "Docking" clause: parties may use the optional pre-drafted "docking" clause to allow third parties to join the contract more efficiently.
  8. More variants covering different data transfer types via other modules:
    1. Controller to controller (C2C – module 1): these clauses are used when two data controllers in different jurisdictions transfer any personal data.
    2. Controller to processor (C2P – module 2): these clauses are used when a data controller in the EU transfers personal data to a data processor outside of the EU.
    3. (Sub-) processor to (sub-) processor (P2P – module 3): these clauses are used when a data processor in the EU engages a sub-processor outside of the EU.
    4. Processor to controller (P2C – module 4): these clauses are used when a data processor outside of the EU transfers personal data to a data controller in the EU.

Each set of clauses contains specific provisions tailored to the individual transfer type being carried out. For example, C2C clauses may include provisions related to joint data controllership. In contrast, C2P clauses may include provisions related to data processing instructions and security measures.

It's vital for organizations to ensure they are using the correct set of clauses for their individual data transfer scenario and to verify that all obligations and requirements are being met in compliance with the EU GDPR. However, to ascertain which scenario applies in any particular data processing context, for example in the ECJ's Facebook fan page decision, can be difficult.

While the new standard contractual clauses are "ready-made" templates, they are nowhere near sufficiently safe: properly using them has also become much more difficult due to the Schrems II decision requiring an "essentially equivalent" level of data protection within third countries. Therefore, especially when using standard contractual clauses to protect a data transfer outside of the EU, it's imperative to consider essential issues:

  1. Which laws in the destination country govern the data transfer in question?
  2. How do the relevant laws affect data protection? Do these laws undermine the guarantees of the standard data protection clauses for international data transfers?
  3. It is imperative to analyze each specific data transfer and determine which third country laws apply. This also pertains to all further recipients of this data.

Overall, the new EU GDPR standard contractual clauses are designed to provide excellent protection and flexibility for personal data transfers in compliance with EU GDPR requirements. Nonetheless, data transfers outside the EEA are becoming increasingly complex and risky. Therefore, we recommend looking at the FAQ provided by the European Commission.

Key references:

SCC: Standard Contractual Clauses: standardized contractual clauses developed by the European Commission to ensure the protection of personal data during transfers between EU member states and third countries.

GDPR: General Data Protection Regulation: a data security directive by the European Union governing the protection of EU citizens’ personal data and introducing consistent data protection standards across the EU.

C2P: Consumer to Platform: a business relationship whereby consumers purchase services or products from a platform provided by a company.

EEA: European Economic Area: a single market allowing for the free movement of goods, services, capital and people among member states of the European Union and members of the European Free Trade Association.

EU: European Union: a political and economic union of 27 European countries promoting cooperation in various sectors including trade and law.

C2C: Consumer to Consumer: a business relationship whereby consumers directly buy or sell from or exchange products or services with each other.

P2C: Platform to Consumer: a business relationship whereby a platform sells services or products to consumers.