European Commission Publishes Final Version of Standard Contractual Clauses, Imposes Obligations on Data Controllers and Processors

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses (“SCC”) for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”).  The Commission also released the final version of the new SCCs. (LINK) The new version of the SCCs is in part a response to the decision in the Schrems II case, which raised questions about whether they provide necessary protections for the trans-Atlantic transfer of data. The European Commission’s release in November 2020 of draft versions of the implementing decision and the SCCs was discussed previously in this blog.

The guidance makes clear that companies using SCCs will face new compliance challenges. The implementing decision makes the important point that the controllers and processors will need to do more in advance of signing them.  To fulfill SCC requirements, companies – whether data importers or data exporters – will need to understand the nature and extent of the data being transferred and the and establish protections necessary to comply with the requirements of the SCCs.  Stated simply, companies will need to conduct a data protection impact assessment to understand what risks the transfer of data will raise and take steps to address them.

Companies will also need to document the steps it takes to fulfill the requirements of the SCCs.

The implementing decision also imposes significant additional requirements:

  • The controller and processor should be able to demonstrate compliance;
  • The importer should maintain appropriate documentation for the processing activities for which it is responsible;
  • The data importer should be required to inform the data exporter promptly if it is unable to comply with the clauses, for whatever reason; and
  • Should the data importer breach the clauses or be unable to comply with them, the data exporter should end the transfer of data and, in serious cases, have the right to terminate the contract, as it concerns the processing of personal data under the SCCs.

Clearly decision means organizations have to take far more significant action than previously. SCCs are intended to ensure that organizations implement appropriate data protection safeguards for international data transfers. Therefore, the controller or processor transferring the personal data to a third country (the ‘data exporter’) and the controller or processor receiving the personal data (the ‘data importer’) can incorporate those standard contractual clauses in a wider contract and add other clauses or additional safeguards, provided they do not contradict the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects. Controllers and processors are encouraged to provide additional safeguards by means of contractual commitments that supplement the standard contractual clauses.

All old SCCs likely will need to be replaced with the new SCCs, at the latest, by approximately December 2022. For many organizations with a large number of contractual relationships, that means time is of the essence.