Other Author Salome Peters, Legal Intern
On 25 May 2022, the European Commission published Questions and Answers for the New Standard Contractual Clauses to provide practical guidance on the use of standard contractual clauses (SCCs) and help organisations with their General Data Protection Regulation (GDPR) compliance efforts. The Commission confirmed that the Q&A document will be regularly updated.
SCCs as a Means to Safeguard Data Transfers
The SCCs adopted by the European Commission in June 2021 can be used to safeguard personal data transfers from the EU to a third country which the Commission does not consider as offering an adequate level of data protection.
The SCCs have a modular approach, include general clauses applicable to all cases and four modules tailored to the capacity in which the parties will be using the personal data. The parties have to choose the module that reflects their situation (i.e. if they are a controller, processor or a sub-processor) and whether they are a data exporter or a data importer.
Businesses should not use the SCCs to transfer data from a data exporter in the EEA to a data importer outside the EEA to whom the GDPR applies by virtue of Article 3 GDPR. The Commission confirmed it is in the process of developing an additional set of SCCs for this scenario.
Businesses that rely on the earlier version of SSCs in agreements concluded before 27 September 2021 should update these agreement to include the new SCCs before 27 December 2022 to ensure compliance with the GDPR.
Some other important points among the 44 questions in the Q&As are presented in this update.
How should the SCCs be executed?
The SCCs may be incorporated into an underlying contract. However, the Commission confirmed that:
- the SCCs must be signed in Annex I.A to ensure the SCCs are binding on all data exporters and all data importers in accordance with local law requirements, and
- the parties must fill out the Annexes to the SCCs and make clear which modules, options and specifications between square brackets they have chosen in order to ensure transparency. This can be achieved, for example, by appending the SCCs including the Annexes to the underlying contract.
The SCCs can be signed by the parties electronically provided that this is allowed by the law governing the agreement.
Can liability under the SCCs be limited?
The Commission clarified that organisations cannot limit their liability under the SCCs towards data subjects or in relation to each other. Any contractual provision in the underlying contract that seeks to cap, limit or otherwise exclude the parties' liability under the SCCs risks invalidating the SCCs as a valid tool for transferring personal data outside the EEA.
However, liability for breaches of data protection provisions in the underlying contract can be limited according to general rules, provided the limitation does not apply to liability arising under the SSCs.
Can the text of the SCCs be changed?
Parties cannot change the wording of the SCCs other than to:
- select modules and specific options in the text,
- complete the text were necessary,
- fill in the Annexes,
- add additional safeguards that increase the level of protection for the data.
These adaptations are not considered changing the text of the SCCs. If the parties change the text of the SCCs more than that, the parties cannot rely on the legal certainty of the SCCs.
Can several modules be agreed between the same parties at the same time?
Yes. More than one module can be integrated in one set of SCCs. This is particularly helpful if parties within a group assume different roles for different data transfers (as a controller and a processor).
Which data protection authority should be designated as the competent authority?
The parties should specify the competent data protection authority in Annex I.C of the SSCs in accordance with Clause 13 of the SCCs.
If the data exporter is located in the EEA, the data protection authority should be the authority competent to monitor compliance by the exporter with the GDPR. This will be the organisation's lead supervisory authority for businesses carrying out cross-border processing activities in the EEA.
If there are more data exporters, several supervisory authorities may be competent and should be all specified in Annex I.C.
Can the SCCs be used for international transfers of personal data outside the UK and Switzerland?
The SCCs can be used for transfers of personal data outside the UK provided they are supplemented by the UK Addendum to the EU SCCs published by the UK Information Commissioner's Office. You can find more information about the UK Addendum in our client alert.
On 27 August 2021, the Swiss Federal Data Protection and Information Commissioner confirmed that the SCCs can also be used for transfers of data outside Switzerland, provided that the necessary adaptations and amendments are made to ensure compliance with the Swiss Federal Act on Data Protection.