EU Com­mis­si­on publishes new stan­dard con­trac­tu­al clau­ses as basis for inter­na­tio­nal data transfers

Fol­lo­wing the “Schrems II” decis­i­on by the Euro­pean Court of Jus­ti­ce (ECJ) and the coor­di­na­ted inves­ti­ga­ti­on by data pro­tec­tion aut­ho­ri­ties in the various Ger­man Sta­tes which is alre­a­dy under­way, the EU Com­mis­si­on adopted and published new stan­dard con­trac­tu­al clau­ses for data trans­fers last week.

Goal and pur­po­se of the stan­dard data pro­tec­tion clauses

The stan­dard con­trac­tu­al clau­ses are meant to ensu­re adhe­rence with the requi­re­ments of the Gene­ral Data Pro­tec­tion regu­la­ti­on (GDPR) in con­nec­tion with the trans­fer of per­so­nal data to third count­ries. The EU Com­mis­si­on is adop­ting the­se clau­ses in respon­se to the “Schrems II” decis­i­on,  in which the ECJ not only ruled that the EU-US Pri­va­cy Shield is inva­lid as an ade­quacy decis­i­on for the exch­an­ge of data bet­ween the EU and the US, but also set strict requi­re­ments for the use of stan­dard con­trac­tu­al clau­ses as the basis for data trans­fers to third countries.

Key aspects of the stan­dard con­trac­tu­al clau­ses published to date

The new stan­dard con­trac­tu­al clau­ses have a modu­lar struc­tu­re and were gene­ral­ly desi­gned with inter­na­tio­nal data exch­an­ges in mind. They include the fol­lo­wing modules:

  • Modu­le 1: Trans­fer con­trol­ler to controller
  • Modu­le 2: Trans­fer con­trol­ler to processor
  • Modu­le 3: Trans­fer pro­ces­sor to processor
  • Modu­le 4: Trans­fer pro­ces­sor to controller

The­se clau­ses con­tain appro­pria­te safe­guards, inclu­ding enforceable rights for data sub­jects and effec­ti­ve legal reme­dies in accordance with the GDPR with regard to data trans­fers by con­trol­lers to other con­trol­lers or pro­ces­sors and/or bet­ween pro­ces­sors. But the par­ties are free to sti­pu­la­te broa­der pro­tec­tions by indi­vi­du­al agree­ment, pro­vi­ded that tho­se agree­ments do not con­tra­dict the EU Com­mis­si­on’s stan­dard con­trac­tu­al clau­ses for data trans­fers, direct­ly or indi­rect­ly, and that they do not pre­ju­di­ce the fun­da­men­tal rights or free­doms of data subjects.

The EU Com­mis­si­on has also published stan­dard con­trac­tu­al clau­ses rela­ting to the exch­an­ge of data bet­ween con­trol­lers and pro­ces­sors within the EU. Howe­ver, the­re is no obli­ga­ti­on to use the­se stan­dard con­trac­tu­al clau­ses; rather, they are inten­ded as a pro­po­sal for the EU Commission.

Future deve­lo­p­ments

The published docu­ments are final working docu­ments. The offi­ci­al ver­si­on will be published in the EU Offi­ci­al Jour­nal in the coming days, so that some minor edi­to­ri­al chan­ges are still to be expec­ted. The new stan­dard con­trac­tu­al clau­ses for data trans­fers should replace the for­mer stan­dard con­trac­tu­al clau­ses, which were crea­ted based on the old Data Pro­tec­tion Direc­ti­ve, within 18 months, so as to meet the requi­re­ments of the ECJ’s “Schrems II” decis­i­on. Nevert­hel­ess, the EU Com­mis­si­on has alre­a­dy found that an indi­vi­du­al assess­ment as to the level of data pro­tec­tion remains neces­sa­ry and the­re still no sign of an agree­ment with the US which could form the basis for a new ade­quacy decis­i­on (only in German).

Plea­se let us know if you need help with regard to assess­ment of your exis­ting data trans­fers to third count­ries or with imple­men­ta­ti­on of the stan­dard con­trac­tu­al clau­ses for data trans­fers. We would also be glad to assist you in con­nec­tion with pro­ces­sing arrangements.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.