In an increasingly digitized and connected world, data transfers have become routine and fundamental to the smooth operation of processing activity within the context of business and administration.
The Standard Contractual Clauses (SCCs) are standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to, aimed at protecting personal data leaving the European Economic Area (EEA) through contractual obligations in compliance with the GDPR’s requirements in territories which are not considered to offer adequate protection to the rights and freedoms of data subjects. The SCCs are particularly important in the sphere of data protection by contributing towards a harmonized approach that concerns cross border processing or processing that affects the free flow of personal data or natural persons within the EEA itself, allowing for the consistent implementation of the GDPR’s specific provisions.
The clauses are intended to provide appropriate safeguards for international data transfers under Article 46 of the GDPR, provided that the SCCs are adopted completely and unaltered[1]. Their adoption is also one that does not prevent the controller/processor from including them in a wider contract and/or from including additional safeguards or other clauses, provided that this is done without contravening, directly or indirectly, the SCCs or the rights of data subjects[2].
As of today, the European Commission has issued three sets of SCCs, where two of them are intended for data transfers from EU controllers to non-EU controllers: Set I, Decision 2001/497/EC,in which both parties enter into a joint and several liability for the data protection obligations[3] and Set II Decision 2004/915/EC,which is considered as being more business friendly due to its development in cooperation with different trade associations[4]. On the other hand, the third set, is used for data transfers from EU controllers to non-EU processors, and they allow the possibility of outsourcing activities to a sub-processor, if it provides for an appropriate level of protection to the rights and freedoms of data subjects[5].
One of the main advantages of the, as yet non-updated, SCCs is that they are easy to to use and virtually remove the need of negotiating individual contractual terms or adopting Binding Corporate Rules (BCR), which is another method of transferring data to a third country which has been marginally adopted in practice. It is estimated that only 136 companies went into the procedure of adopting BCR[6].
Moreover, the SCCs contain clauses regulating the transfer and processing of personal data which are deemed to be in compliance with the GDPR. In view of the fact that they have to be adopted in an unaltered and complete manner to offer the required protection to data subjects, the lawful data protection standard cannot be changed negatively in the course of negotiations between the parties. Their adoption effectively creates a contractual basis for transfers between data-exporting controllers and data-importing controllers/processors, regardless of their individual relationship[7], whilst assuring compliance with legal obligation for such entities and providing for effective safeguards to the data subject, irrespective of where processing activity may ultimately take place.
This article was written by Legal Trainee, Steve Vella.
For more information on Data Protection & Privacy and related areas please contact Dr Ian Gauci on igauci@gtgadvocates.com and Dr Michele Tufigno on mtufigno@gtgadvocates.com
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
[1] Hullen, in: von dem Bussche/Voigt, Konzerndatenschutz, Ausblick (2014), rec. 64; Laue/Nink/ Kremer, Datenschutzrecht, Verarbeitung durch Dritte (2016), rec. 53.
[2] Rec. 109 GDPR.
[3] Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC [2001] OJ L181/19.
[4] Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries [2004] OJ L385/74.
[5] Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council [2010] OJ L39/5.
[6] ‘Binding Corporate Rules (BCR) Corporate rules for data transfers within multinational companies’ (European Commission) <https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en> accessed 21 July 2019.
[7] Paul Voigt and Axel von dem Bussche, The EU General Data Protection Regulation (GDPR) A Practical Guide Springer 2017).