EU Commission publishes new standard contractual clauses as basis for international data transfers

Stefan Hessel

Following the "Schrems II" decision by the European Court of Justice (ECJ) and the coordinated investigation by data protection authorities in the various German States which is already underway, the EU Commission adopted and published new standard contractual clauses for data transfers last week.

Goal and purpose of the standard data protection clauses

The standard contractual clauses are meant to ensure adherence with the requirements of the General Data Protection regulation (GDPR) in connection with the transfer of personal data to third countries. The EU Commission is adopting these clauses in response to the "Schrems II" decision,  in which the ECJ not only ruled that the EU-US Privacy Shield is invalid as an adequacy decision for the exchange of data between the EU and the US, but also set strict requirements for the use of standard contractual clauses as the basis for data transfers to third countries.

Key aspects of the standard contractual clauses published to date

The new standard contractual clauses have a modular structure and were generally designed with international data exchanges in mind. They include the following modules:

  • Module 1: Transfer controller to controller
  • Module 2: Transfer controller to processor
  • Module 3: Transfer processor to processor
  • Module 4: Transfer processor to controller

These clauses contain appropriate safeguards, including enforceable rights for data subjects and effective legal remedies in accordance with the GDPR with regard to data transfers by controllers to other controllers or processors and/or between processors. But the parties are free to stipulate broader protections by individual agreement, provided that those agreements do not contradict the EU Commission's standard contractual clauses for data transfers, directly or indirectly, and that they do not prejudice the fundamental rights or freedoms of data subjects.

The EU Commission has also published standard contractual clauses relating to the exchange of data between controllers and processors within the EU. However, there is no obligation to use these standard contractual clauses; rather, they are intended as a proposal for the EU Commission.

Future developments

The published documents are final working documents. The official version will be published in the EU Official Journal in the coming days, so that some minor editorial changes are still to be expected. The new standard contractual clauses for data transfers should replace the former standard contractual clauses, which were created based on the old Data Protection Directive, within 18 months, so as to meet the requirements of the ECJ's "Schrems II" decision. Nevertheless, the EU Commission has already found that an individual assessment as to the level of data protection remains necessary and there still no sign of an agreement with the US which could form the basis for a new adequacy decision (only in German).

Please let us know if you need help with regard to assessment of your existing data transfers to third countries or with implementation of the standard contractual clauses for data transfers. We would also be glad to assist you in connection with processing arrangements.

[June 2021]