THE MODERNIZED EU STANDARD CONTRACTUAL CLAUSES – A NEW HOPE?

27
Dec 2021

standardne ugovorne klauzule

Long-announced amendments to the EU Standard Contractual Clauses (hereinafter: SCC), which apply to the international personal data transfer, have finally come into force. The European Commission announced their decision in June 2021, replacing the old SCCs with the updated SCCs, as of September 27, 2021.

Specifically, the previous Standard Contractual Clauses were adopted even before the GDPR period[1] and the decision of the Court of Justice of the European Union (CJEU) in the Schrems II Decision, which declared the EU-US Privacy Shield unlawful (which we wrote more about in our news New rules for personal data transfer to the US – Privacy shield knocked down, again!)

It has become clear that the previous SCCs had not met the standards of the accelerated international personal data transfer, and that it has become inevitable to regulate a new mechanism for personal data transfer, between the EEA[2] and the third countries, which do not provide the adequate level of the personal data protection (i.e., the US). In addition, the previous SCCs did not cover all types of different personal data transfers that may occur, which is one of the reasons why the updated SCCs were eagerly awaited.

What Are the Updated Standard Contractual Clauses and When Do They Apply?

Standard Contractual Clauses represent a mechanism that companies that are subject to the GDPR can use to carry out lawful international data transfers in a situation where the data importer is located in a country that does not provide an adequate level of protection.

From the GDPR standpoint, it is considered that there is an adequate level of protection when the transfer is made between EU members, and the European Commission decides[3] on the list of non-EU countries that provide an adequate level of protection. If a country is not on the list adopted by the European Commission, it is considered that an adequate level of protection of personal data is not provided.

For example, if data is transferred from an EU Member State to the United States, which is not on the list of the European Commission countries, it is considered that there is no adequate level of protection, so SCCs are one of the simplest mechanisms to ensure the legality of transfer.

The new SCCs are officially implemented as of September 27, 2021. This practically means that new SCCs apply to all personal data transfers you make after this date.

For example, your company begins work on September 30, 2021, on a joint project with the company based in the US and concludes a Master Service Agreement. In order to properly regulate the international transfer of personal data between two companies, you are obliged to implement the new SCCs.

But what about the Agreements Concluded Before September 27, 2021, Which Contain the Old SCCs?

In that case, you are granted a transitional period until December 27, 2022, you can continue with the application of the old SCCs up to that date, provided that there is no change in the data processing. If the new processing operations occur (for example, new data are processed or data of new categories of persons not covered by the previous SCCs), you are obliged to update the agreements and start applying the new SCCs immediately.

How Are the New Standard Contractual Clauses Implemented?

The updated Standard Contractual Clauses contain 4 different Modules, depending on the roles of the importer and exporter of the personal data, as follows:

  • Module 1 – regulates the controller to controller relationship
  • Module 2 – regulates controller to processor relationship
  • Module 3 – regulates the processor to processor relationship
  • Module 4 – regulates the processor to controller relationship

In each case, it is necessary to decide on the appropriate Module. Furthermore, it is important to highlight the fact that the two companies that are in a business relationship and exchange personal data can be found in several different roles so that several different Modules can be applied to one contractual relationship.

For example, in relation to your client, you may take the role of both the data controller and data processor and take the role of joint controllers, depending on which party determines the purpose and ways of processing personal data you share with each other. Consequently, each party will have certain obligations under the GDPR, and, therefore, it is necessary to implement the appropriate Module of the modernized SCCs in order for the transfer of data between you and your client to be properly regulated.

Therefore, it is important to start correctly defining the roles, data transfer directions, data mapping, and, depending on that, apply the appropriate Modules.

What Do You Need to Pay Attention To?

standardne ugovorne klauzule

The European Commission introduced various novelties in the SCCs, and significant changes compared to the previous regime. Once you decide whether you need the modernized SCCs and how to implement them properly, pay attention to:

Docking Clause – a New Option

One of the more interesting novelties introduced by the SCC is the accession clause, i.e., the so-called “docking” clause, which facilitates the access of new contracting parties to an existing agreement.

Specifically, based on the stated clause (which is optional), any subject can enter into an agreement, i.e., Standard contractual clauses, either as data importers or exporters, by simply filling in the annexes and signing the annex to the SCCs. For example, with the help of this clause, if an acquisition procedure has been carried out, your intercompany agreement governing the personal transfer of personal data can be easily accessed by new companies without the obligation to re-enter an agreement between all members of the group. However, it is important to pay attention to the modification of the agreement within the allowed limits, since the SCCs could be changed and modified only to a certain extent.

Pay Attention to the Extension of the Liabilities of the Contracting Parties, Applicable Law and Dispute Resolution Jurisdiction

What can be concluded from the updated SCCs is that the European Commission’s intention is to provide the higher protection standard, to the persons whose personal data are being processed, as well as the possibility to easily exercise their rights in case of any breach of the personal data.

In this regard, SCCs clearly define the liability of data importers and exporters, and even sub-processors in relation to the data subjects, all depending on which party caused material or non-material damage to the data subject. In addition, the data subject whose rights have been violated can choose when to initiate proceedings, if both or more parties are responsible for the damage, and thus facilitate the procedure of compensating for any damage.

That is why it is important to correctly define the applicable law and jurisdiction for resolving disputes, because you may be sued by a person whose data has been violated and are therefore obliged to compensate the damages. If you are compensating for damages for which you are not solely responsible, you will certainly want part of the responsibility to be borne by the company with which you shared the data and which may have contributed equally or more to the damage. In order to be able to initiate appropriate proceedings against the other party or your sub-processor at a later stage, it will be crucial to decide in which country you will be able to exercise your rights and what will be the applicable law.

Therefore, it is crucial to properly decide on the court jurisdiction that would resolve the dispute between you and the other party, but also the applicable law that will apply to resolving that dispute. The interesting fact is that the updated SCCs provide for a wider range of possibilities regarding stipulation of the jurisdiction and applicable law, in the sense that parties are not anymore limited by the registered seat of the data exporter, but can stipulate the jurisdiction of any EU Member State, and for Module 4, even the jurisdiction of a non-member state.

It is recommended that when deciding and conducting negotiations, you should consider all key factors, from the role you take in a particular case, starting from Your position in the case, laws, and practice of the country of the applicable law, potential expenses for the litigation of the jurisdiction for dispute resolution, etc.

Pay Close and Thoughtful Attention to the Agreements Concluded with the Subcontractors (Sub-processors)

The new SCCs introduce significant obligations for all data recipients hiring subcontractors and continue to share the data they have received.

Namely, if you engage services of the subcontractors or, so-called sub-processors, for data processing, outside the EEA, You will still be obliged to implement the updated SCCs and to update your agreements with the engaged subcontractors.

Therefore, it will be necessary to perform a complete audit of how you receive all the data, in what ways, what are the possible directions of data transfer, whether the data is further exported or shared, with which subjects, where these subjects are located, etc.

Only after a detailed analysis will you be able to assess whether you need the new SCCs and whether you need to apply them in relation to your subcontractors. Otherwise, you risk violating both the provisions of the GDPR and the provisions of the agreement you have concluded with the company from which you receive the data.

Do the New Standard Contractual Clauses Apply in Serbia?

standardne ugovorne klauzule

The answer is YES!

The new Standard Contractual Clauses could apply to the companies located in Serbia in two situations.

If the provisions of the GDPR apply to your company based in Serbia extraterritorially, then, you are obliged to implement the new SCCs, if you export personal data to countries that do not provide an adequate level of protection. We wrote about the extraterritorial application of the GDPR in the blog Territorial Scope of GDPR in Serbia.

The abovementioned means, that if you are subject to the GDPR terms, and additionally, you share personal data with another company located in Serbia, you are obliged to implement the new SCCs.

Another option when new SCCs can be applied (if you are registered in Serbia and the GDPR does not apply to you) is the situation in which you receive data from the EU, i.e., process the personal data and appear in the role of data importer. Since Serbia is not considered a country that provides an adequate level of protection from the GDPR standpoint, you will most likely have to apply the new SCCs to the relationship with your clients, associates and contractors from the EEA.

Therefore, it is crucial to revise the agreements and start to comply with the obligations and standards imposed by the new and modernized SCCs.

A New Hope for the Safe International Personal Data Transfer?

Even though the purpose of the modernized SCCs is to minimalize the risks of international data transfer from the EU to third countries, as well as to respond to the requirements set out in the Schrems II Decision, it is clear that the application of the SCCs does not guarantee the data transfer security.

Of course, companies participating in the international transfer will have to consider whether additional security measures are needed to protect personal data in accordance with the recommendations of the Court of Justice of the EU. So, simply copying the SCCs will not suffice, but you will have to approach each data transfer thoroughly and systematically.

[1] General Data Protection Regulation
[2] European Economic Area
[3] Source: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Latest Post

STAY TUNED

Stay in the loop with the most important updates