European Commission’s Q&A On The New Standard Contractual Clauses – Data Protection

Posted on By admin No Comments on European Commission’s Q&A On The New Standard Contractual Clauses – Data Protection

To print this article, all you need is to be registered or login on Mondaq.com.

On 25 May 2022, the European Commission published Questions and Answers for the New Standard Contractual Clauses to provide practical guidance on the use of standard contractual clauses (SCCs) and help organizations with their General Data Protection Regulation (GDPR) compliance efforts. The Commission confirmed that the Q&A document will be regularly updated.

SCCs as a Means to Safeguard Data Transfers

The SCCs adopted by the European Commission in June 2021 can be used to safeguard personal data transfers from the EU to a third country which the Commission does not consider as offering an adequate level of data protection.

The SCCs have a modular approach, including general clauses applicable to all cases and four modules tailored to the capacity in which the parties will be using the personal data. The parties have to choose the module that reflects their situation (ie if they are a controller, processor or a sub-processor) and whether they are a data exporter or a data importer.

Businesses should note use the SCCs to transfer data from a data exporter in the EEA to a data importer outside the EEA to whom the GDPR applies by virtue of Article 3 GDPR. The Commission confirmed it is in the process of developing an additional set of SCCs for this scenario.

Businesses that rely on the earlier version of SSCs in agreements before 27 September 2021 should update these agreement to include the new SCCs before 27 December 2022 to ensure compliance with the GDPR.

Some other important points among the 44 questions in the Q&As are presented in this update.

How should the SCCs be executed?

The SCCs may be incorporated into an underlying contract. However, the Commission confirmed that:

  1. the SCCs must be signed in Annex IA to ensure the SCCs are binding on all data exporters and all data importers in accordance with local law requirements, and


  2. the parties must fill out the Annexes to the SCCs and make clear which modules, options and specifications between square brackets they have chosen in order to ensure transparency. This can be achieved, for example, by appending the SCCs including the Annexes to the underlying contract.

The SCCs can be signed by the parties electronically provided that this is allowed by the law governing the agreement.

Can liability under the SCCs be limited?

The Commission clarified that organizations cannot limit their liability under the SCCs towards data subjects or in relation to each other. Any contractual provision in the underlying contract that seeks to cap, limit or otherwise exclude the parties’ liability under the SCCs risks invalidating the SCCs as a valid tool for transferring personal data outside the EEA.

However, liability for breaches of data protection provisions in the underlying contract can be limited according to general rules, provided the limitation does not apply to liability arising under the SSCs.

Can the text of the SCCs be changed?

Parties cannot change the wording of the SCCs other than to:

  1. select modules and specific options in the text,


  2. complete the text were necessary,


  3. fill in the Annexes,


  4. add additional safeguards that increase the level of protection for the data.

These adaptations are not considered changing the text of the SCCs. If the parties change the text of the SCCs more than that, the parties cannot rely on the legal certainty of the SCCs.

Can several modules be agreed between the same parties at the same time?

yes. More than one module can be integrated in one set of SCCs. This is particularly helpful if parties within a group assume different roles for different data transfers (as a controller and a processor).

Which data protection authority should be designated as the competent authority?

The parties should specify the competent data protection authority in Annex IC of the SSCs in accordance with Clause 13 of the SCCs.

If the data exporter is located in the EEA, the data protection authority should be the authority competent to monitor compliance by the exporter with the GDPR. This will be the organization’s lead supervisory authority for businesses carrying out cross-border processing activities in the EEA.

If there are more data exporters, several supervisory authorities may be competent and should be all specified in Annex IC

Can the SCCs be used for international transfers of personal data outside the UK and Switzerland?

The SCCs can be used for transfers of personal data outside the UK provided they are supplemented by the UK Addendum to the EU SCCs published by the UK Information Commissioner’s Office. You can find more information about the UK Addendum in our client alert.

On 27 August 2021, the Swiss Federal Data Protection and Information Commissioner confirmed that the SCCs can also be used for transfers of data outside Switzerland, provided that the necessary adaptations and amendments are made to ensure compliance with the Swiss Federal Act on Data Protection.

Originally Published 10 June 2022

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the “Mayer Brown Practices”). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Checker Advogados, a Brazilian law partnership with which Mayer Brown is associated. “Mayer Brown” and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2021. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

POPULAR ARTICLES ON: Privacy from European Union

Data Privacy In A Quantum World

PA Consulting Group

A quantum computer can find one item in a list of one trillion in about one second. A classical computer takes about a week to do the same.

International Data Transfers – Thinkhouse (Video)

Gowling WLG

To keep you up-to-date on the latest data protection developments, we look at the latest position on international transfers in light of the new standard form agreements published by the ICO.

Implications Of The Data Reform Bill

Shepherd and Wedderburn LLP

On 10 May 2022 the UK Government announced, through the Queen’s Speech, that the United Kingdom’s data protection regime is to be reformed.

.

Lei Tags:, , ,

Leave a Reply

Your email address will not be published.