New stan­dard con­trac­tu­al clau­ses – the count­down is on!

In respon­se to the “Schrems II” Decis­i­on of the Euro­pean Court of Jus­ti­ce (ECJ), the EU Com­mis­si­on published new stan­dard con­trac­tu­al clau­ses (SCC) on 7 June 2021. While the­se have been bin­ding for new con­tracts sin­ce last year, the imple­men­ta­ti­on dead­line for exis­ting con­tracts is 27 Decem­ber 2022. Com­pa­nies should ensu­re now at the latest that they have con­cluded new con­tracts with their ser­vice pro­vi­ders. Other­wi­se, the­re is a risk of seve­re fines and dama­ge com­pen­sa­ti­on claims from tho­se affected.

What are the stan­dard data pro­tec­tion clauses?

The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) aims to ensu­re that the level of pro­tec­tion it gua­ran­tees for per­so­nal data is not under­mi­ned by data trans­fers to third count­ries. Com­pa­nies have been deal­ing with the resul­ting legal pro­blems in inter­na­tio­nal data trans­fers for years. This is par­ti­cu­lar­ly true sin­ce the ECJ declared the EU-US Pri­va­cy Shield inva­lid and annul­led the EU Com­mis­si­on’s ade­quacy decis­i­on based on it.

One way to trans­fer data to third count­ries in a privacy-compliant man­ner wit­hout an ade­quacy decis­i­on is to use SCCs. In the “Schrems II” Decis­i­on, the ECJ also for­mu­la­ted more strin­gent requi­re­ments for data trans­fers based on the SCCs. The new SCCs the­r­e­fo­re pro­vi­de appro­pria­te safe­guards and effec­ti­ve reme­dies to ensu­re that the data importers gua­ran­tee ade­qua­te pro­tec­tion for data in third count­ries. The new SSCs also impo­se addi­tio­nal obli­ga­ti­ons on com­pa­nies. The­se include con­duc­ting a trans­fer impact assess­ment (TIA) and pro­vi­ding assu­rance that the­re is no reason to belie­ve that “the laws and prac­ti­ces appli­ca­ble to the pro­ces­sing of per­so­nal data by the data importer pre­vent the data importer from ful­fil­ling its obli­ga­ti­ons under the stan­dard con­trac­tu­al clauses.”

What’s to be done?

Com­pa­nies should check whe­ther they export data to third count­ries for which no ade­quacy decis­i­on exists. If the rele­vant con­tracts with ser­vice pro­vi­ders still con­tain old stan­dard con­trac­tu­al clau­ses, com­pa­nies should cont­act them imme­dia­te­ly. If not alre­a­dy done, a TIA should also be per­for­med.
Howe­ver, lar­ge pro­vi­ders are likely alre­a­dy using the new SSCs. After all, the new SSCs have been man­da­to­ry for new con­tracts sin­ce last year, so repu­ta­ble pro­vi­ders alre­a­dy had to deal with the issue any­way. If the ser­vice pro­vi­der pro­ves to be unco­ope­ra­ti­ve, it should be exami­ned whe­ther a chan­ge to ano­ther pro­vi­der is pos­si­ble with reasonable effort. The time until the end of Decem­ber is limi­t­ed and pro­tra­c­ted dis­cus­sions with intran­si­gent com­pa­nies are only useful if their ser­vice can­not be easi­ly repla­ced. This has par­ti­cu­lar prac­ti­cal rele­van­ce for coöpe­ra­ti­on with US ser­vice pro­vi­ders. Alt­hough the EU Com­mis­si­on is pre­pa­ring a new ade­quacy decis­i­on that could make the con­clu­si­on of the clau­ses super­fluous, it is by no means cer­tain that this will be achie­ved by the end of the year.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.