EU Commission Issues New Standard Contractual Clauses

Written by: Charles R. Langhorne IV, Esq.

On June 4, 2021, the European Commission issued the long awaited new version standard contractual clauses (“SCCs”). In fact, the Commission issued two (2) different sets of SCCs.

1. 1. 1. Governing transfers of personal data within the European Union. Officially cited as: C(2021) 3701.
      2. Governing transfers of personal data outside the European Union. Officially cited as: C(2021) 3702.

1. Transfers Within The European Union

These SCCs are designed to govern the transfer of personal data between a data controller and a data processor when the personal data stays within the EU. Essentially, the Commission has created a standard Data Processing Agreement that complies with GDPR Article 28. If you are a business collecting personal data in the EU, and transferring it to a data processor you likely have a Data Processing Agreement, or similar contractual provisions, in place with your data processors in order to comply with GDPR Article 28.

Why?

This begs the question, why did the Commission go the trouble of creating a form document that contains language businesses are already required to have? Aside from GDPR Art. 28(7) granting the Commission the ability to create such a form document; the accompanying decision states the underlying reason is to provide a “coherent approach to personal data protection throughout the Union.”

Framework

The Commission has changed the format of the SCCs to add additional annexes (formerly called “appendixes” in the existing SCCs) that need to be completed prior to executing the SCCs.

Annex I – Contains the parties entering into the SCCs. This was previously the first section of the existing SCCs.

Annex II – Contains the description of the processing being undertaken. This was previously “Appendix 1” to the existing SCCs.

Annex III – Contains the measures the data processor has in place to protect the personal data being processed. This is similar to the content asked for in “Appendix 2” of the existing SCCs, but asks for much greater detail.

Annex IV – Contains a list of sub-processors the data processor uses in the event a business only gives a data controller “specific” authorization, as opposed to “general authorization.”

When Will These SCCs Go Into Effect?

Neither the decision, nor the SCCs themselves provide for a grace period. The decision states that the SCCs shall become effective twenty (20) days after the decision is published. The official EU website states that the decision will be published “in the coming days.”

What About The Other Provisions In My Data Processing Agreement?

Many businesses have worked with their IT, information security, and legal teams to add provisions to their data processing agreements that go above and beyond what GDPR requires. The SCCs state that the content of the SCCs can be supplemented or added to, as long as the content of the SCCs as published are not contradicted or modified.

What Do I Need To Do?

Unfortunately, the decision does not indicate whether a business must enter into these SCCs with their processors if the underlying contract already contains GDPR compliant provisions. At a minimum businesses should begin using these SCCs in contracts with data processors going forward.

2. Transfers To Countries Outside The European Union

The second set of SCCs governs transfers of personal data to countries outside of the EU, that have not received an adequacy decision under GDPR Art. 45. A list of the countries to which an adequacy decision has been granted can be found here.

Notably, the decision accompanying these SCCs states that these SCCs comply with GDPR Art. 28. Which means a business will not need to enter into the SCCs described above in addition to these SCCs when transferring data to countries outside the EU.

Framework

The Commission has setup these SCCs similar to the SCCs described above, but provides for some choices to be made prior to reaching the annexes. These SCCs provide for 4 “modules” depending on the type of transfer being made.

Module 1 – Transfer Controller to Controller
Module 2 – Transfer Controller to Processor
Module 3 – Transfer Processor to Processor
Module 4 – Transfer Processor to Controller

Depending on the relationship of the parties transferring personal data, the SCCs ask for businesses to choose the applicable “module” throughout the SCCs.

The annexes are very similar to the annexes described in the SCCs above, however, in slightly different format.

Annex I – Contains the parties entering into the SCCs and the description of the processing being undertaken.

Annex II – Contains the measures the data importer has in place to protect the personal data being transferred to the third country. This is similar to the content asked for in “Appendix 2” of the existing SCCs, but asks for much greater detail.

Annex III – Contains a list of sub-processors the data processor uses in the event a business only gives a data controller “specific” authorization, as opposed to “general authorization.”

When Will These SCCs Go Into Effect?

The existing SCCs governing international transfers will be repealed three (3) months from the date these SCCs are published. The official EU website states that the decision will be published “in the coming days.” Following that repeal date, there is a grace period of fifteen (15) months for contracts that were entered into prior to the repeal of the existing SCCs.

We expect these SCCs to be published by July 1, 2021, which would mean the existing SCCs would be repealed by September 1, 2021, and the grace period would end by December 31, 2022.

What About The Other Provisions In My Data Processing Agreement?

This is the same as stated above, the SCCs state that the content of the SCCs can be supplemented or added to, as long as the content of the SCCs as published are not contradicted or modified.

What Do I Need To Do?

Begin putting a plan in place to contact each vendor with which your business shares personal data to discuss implementing the new SCCs. Start this process now, so that the new SCCs will be in place by the end of the grace period.

This is a hot button issue, and as a result, supervisory authorities are continuing to conduct more investigations and issue more fines. You do not want your business to be on the receiving end of one of these fines.