Stay in the loop with the most important updates
Contact: Jelena Đukanović
In June 2021, the European Commission announced their decision on new Standard Contractual Clauses (hereinafter: SCC), replacing the old SCCs as of September 27, 2021. Hence, long-announced amendments to the SCC which apply to the international personal data transfer, have finally come into force.
The previous Standard Contractual Clauses were adopted even before the GDPR period and it was expected that after the GDPR came into force, the European Commission will adopt the new SCC. The decision of the Court of Justice of the European Union (CJEU) in the Schrems II Decision had a significant influence on the content of the new SCC. To recall, in the Schrems II Decision, the CJEU declared the EU-US Privacy Shield unlawful (which we wrote more about in our news New rules for personal data transfer to the US – Privacy shield knocked down, again!).
It has become clear that the old SCCs had not met the standards of the accelerated international personal data transfer, and that it has become inevitable to regulate a new mechanism for the transfer of personal data, between the EEA and the third countries, which do not provide the adequate level of the personal data protection (such as the USA). In addition, the previous SCCs did not cover all types of different personal data transfers that may occur, which is one of the reasons why the updated SCCs were eagerly awaited.
Standard Contractual Clauses represent a mechanism that companies that are subject to the GDPR can use to lawfully transfer personal data abroad in a situation where the data importer is located in a country that does not provide an adequate level of protection.
From the GDPR perspective, an adequate level of protection exists when the transfer is made between EU members. Additionally, the European Commission decides on the list of non-EU countries that provide an adequate level of protection. Therefore, if a country is not on the European Commission’s list, it is considered that an adequate level of protection of personal data is not provided.
For example, if data is transferred from an EU Member State to the United States, which is not on the list of the European Commission countries, it is considered that there is no adequate level of protection. In that case, the SCCs are one of the simplest mechanisms to ensure the legality of transfer.
The new SCCs are officially implemented as of September 27, 2021. This practically means that new SCCs apply to all personal data transfers you make after this date, if the transfer is conducted based on the SCC.
For example, your company begins work on September 30, 2021, on a joint project with the company based in the US and concludes a Master Service Agreement. In order to properly regulate the international transfer of personal data between two companies, you are obliged to implement the new SCCs.
But what about the Agreements Concluded Before September 27, 2021, Which Contain the Old SCCs?
In such case, the existing agreements containing old SCC can be used until December 27, 2022, provided that there is no change in the data processing. If the new processing operations occur (for example, new data are processed or data of new categories of persons not covered by the previous SCCs), it is necessary to conclude the new agreement, containing the new SCCs.
The updated Standard Contractual Clauses contain 4 different Modules, depending on the roles of the importer and exporter of the personal data, as follows:
In each case, it is necessary to decide which Module is appropriate for the relationship between the importer and exporter of the personal data. Furthermore, it is important to highlight the fact that the two companies that are in a business relationship and exchange personal data can be found in several different roles so that several different Modules can be applied to one contractual relationship.
For example, in relation to your client, you may take the role of both the data controller and data processor and take the role of joint controllers, depending on which party determines the purpose and ways of processing personal data you share with each other. Consequently, each party will have certain obligations under the GDPR, and, therefore, it is necessary to implement the appropriate Module of the modernized SCCs in order for the transfer of data between you and your client to be properly regulated.
Therefore, it is important to start correctly defining the roles, data transfer directions, and data mapping, and, depending on that, apply the appropriate Modules.
The European Commission introduced various novelties in the SCCs, and significant changes compared to the previous international data transfer regime. Once you decide whether you need the modernized SCCs and how to implement them properly, pay attention to:
One of the more interesting novelties introduced by the SCC is the accession clause, i.e., the so-called “docking” clause, which facilitates the access of new contracting parties to an existing agreement.
Namely, based on this optional clause any subject can enter into an agreement, i.e., Standard contractual clauses, either as data importers or exporters, by simply filling in the annexes and signing the annex to the SCCs.
For example, with the help of this clause, if an acquisition procedure has been carried out, your intercompany agreement governing the personal transfer of personal data can be easily accessed by new companies without the obligation to re-enter an agreement between all members of the group. However, it is important to make sure that the modification of the agreement is within the allowed limits since the SCCs could be changed and modified only to a certain extent.
What can be concluded from the updated SCCs is that the European Commission intends to provide the higher protection standard, to data subjects, as well as the possibility to easily exercise their rights in case of any breach of personal data.
In this regard, SCCs clearly define the liability of data importers and exporters, and even sub-processors in relation to the data subjects, all depending on which party caused material or non-material damage to the data subject. In addition, the data subject whose rights have been violated can choose against who they will initiate the proceedings, provided that both (or more) parties are responsible for the damage, and thus facilitate the procedure of compensating for any damage.
That is why it is important to correctly define the applicable law and jurisdiction for dispute resolution since you may be sued by data subjects whose right has been violated and are therefore obliged to compensate for the damages. If you are compensating for damages for which you are not solely responsible, you will certainly want part of the responsibility to be borne by the company with which you shared the data and which may have contributed to the damage. In order to be able to initiate appropriate proceedings against the other party or your sub-processor at a later stage, it may be crucial to decide in which country you will be able to exercise your rights and what will be the applicable law.
Thus, deciding on the court jurisdiction that would resolve the dispute between you and the other party, as well as the applicable law that will apply to resolving that dispute are important questions that should be determined.
The interesting fact is that the updated SCCs provide for a wider range of possibilities regarding stipulation of the jurisdiction and applicable law. Specifically, the parties are not anymore limited by the registered seat of the data exporter but can stipulate the jurisdiction of any EU Member State, and for Module 4, even the jurisdiction of a non-member state.
Therefore, it is recommended that when deciding and conducting negotiations, you should consider all key factors, from the role you take in a particular case, starting from your position in the case, laws, and practice of the country of the applicable law, potential expenses for the litigation of the jurisdiction for dispute resolution, etc.
The new SCCs introduce significant obligations for all data recipients hiring subcontractors and continue to share the data they have received.
Namely, if you engage services of the subcontractors or, i.e. sub-processors, for data processing, outside the EEA, You will still be obliged to implement the updated SCCs and to update your agreements with the engaged subcontractors.
Therefore, it will be necessary to perform a complete audit of how you receive all the data, in what ways, whether the data is further exported or shared, with which subjects, where these subjects are located, what are the possible directions of data transfer, etc.
Only after a detailed analysis will you be able to assess whether you need the new SCCs and whether you need to apply them in relation to your subcontractors. Otherwise, you risk violating both the provisions of the GDPR and the provisions of the agreement you have concluded with the company from which you receive the data.
The answer is YES!
The new Standard Contractual Clauses could apply to the companies located in Serbia in two situations.
If the provisions of the GDPR apply to your company based in Serbia extraterritorial, then, you are obliged to implement the new SCCs, if you export personal data to countries that do not provide an adequate level of protection. If you would like to find out more about the extraterritorial application of the GDPR please check our blog Territorial Scope of GDPR in Serbia.
The abovementioned means, that if you are subject to the GDPR terms, and additionally, you share personal data with another company located in Serbia or any other country that does not provide an adequate level of data protection, you are obliged to implement the new SCCs.
Another option when new SCCs can be applied (if you are registered in Serbia and the GDPR does not apply to you) is the situation in which you receive data from the EU, i.e., process the personal data and appear in the role of data importer. Since Serbia is not considered a country that provides an adequate level of protection from the GDPR standpoint, you will most likely have to apply the new SCCs to the relationship with your clients, associates, and contractors from the EEA.
Therefore, it is crucial to revise the agreements and start to comply with the obligations and standards imposed by the new and modernized SCCs.
Even though the purpose of the modernized SCCs is to minimalize the risks of international data transfer from the EU to third countries, as well as to respond to the requirements set out in the Schrems II Decision, it is clear that the application of the SCCs does not guarantee the data transfer security.
Of course, companies participating in the international transfer will have to consider whether additional security measures are needed to protect personal data in accordance with the recommendations of the Court of Justice of the EU. So, simply copying the SCCs will not suffice, but the international data transfer will require a systematic and detailed approach.