The Decision on the standard contractual clauses for the transfer of personal data to third countries was implemented by the EU Commission.
On 4 June 2021, the EU Commission implemented Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the “Decision”), as well as Decision (EU) 2021/915 on standard contractual clauses between controllers and processors. This article will focus solely on the standard contractual clauses for the transfer of personal data to third countries; the standard contractual clauses between controllers and processors shall be treated in a separate article.
The standard clauses provide the guarantees referred to in Article 46 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”) for the transfer of personal data from controllers or processors based in the EU/EEA to controllers or processors based in a third country, during the execution of contracts.
The standard contractual clauses are mandatory from 27 June 2021 (the date the Decision entered into force). Contracts concluded before 27 September 2021 on the basis of Decision 2001/497/EC or Decision 2010/87/EU shall be deemed to provide appropriate safeguards until 27 December 2022, provided that the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
Consequently, the transition to the new standard clauses, started on 27 June 2021 must be completed by 27 December 2022.
The standard contractual clauses apply to companies established in the EU, as well as to operators and their proxies established in third countries that do not provide an adequate level of protection but provide products or services to EU data subjects or monitor their behaviour.
The role of the standard contractual clauses is limited to ensuring appropriate data protection safeguards for international data transfers. Therefore, the data exporter and the data importer are free to include those standard contractual clauses in a wider contract and to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects. However, in the event of a contradiction between the standard clauses and the provisions of related agreements between the parties, existing at the time the standard clauses are agreed or entered into thereafter, the standard clauses shall prevail.
According to the standard contractual clauses, data exporters will have to evaluate the regulatory framework in the field of data protection of the third countries to which they transfer data, before making the transfer. If such a framework does not adequately protect the personal data subject to the transfer, additional organizational and/or technical protection measures must be contractually regulated.
Also, in the case of a relationship involving a controller, a processor and a sub-processor, the processor and the sub-processor may ensure compliance with the provisions of the GDPR by recourse to standard contractual clauses.
Where the processing involves data transfers from controllers subject to the GDPR to processors outside its territorial scope or from processors subject to the GDPR to sub-processors outside its territorial scope, the standard contractual clauses set should also allow for the fulfilment of the requirements set out in the GDPR. In this respect, the data importer shall not disclose the personal data to a third party located outside the EU unless the third party is or agrees to be bound by these standard clauses.
In order to provide appropriate safeguards, the standard contractual clauses ensure that the personal data transferred on that basis is afforded a level of protection essentially equivalent to that guaranteed within the EU. For transparency purposes, data subjects should be provided with a copy of the standard contractual clauses and be informed, in particular, of the categories of personal data processed, the right to obtain a copy of the standard contractual clauses, and any onward transfer.
In addition, data subjects should be able to invoke, and where necessary enforce, the standard clauses as third-party beneficiaries. Therefore, while the parties should be allowed to choose the law of one of the Member States as governing the standard contractual clauses, that law must allow for third-party beneficiary rights.
If the transfer involves sensitive personal data (i.e., racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymization) and/or additional restrictions with respect to further disclosure.
In the event that the data importer is in breach of the standard clauses or unable to comply with them, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. The data exporter shall be entitled to terminate the contract when: (i) the data exporter has suspended the transfer of personal data to the data importer and compliance with the standard clauses is not restored within a reasonable amount of time and in any event within one month of suspension, (ii) the data importer is in substantial or persistent breach of these clauses or (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under the clauses.
An article by:
Ioana Catalina Savan – Senior Associate, Leader of Compliance and Regulatory
PETERKA & PARTNERS Romania