On 4 June 2021, the European Commission adopted two implementing decisions with standard contractual clauses for the processing and transfer of personal data in accordance with the General Data Protection Regulation (“GDPR”). [1] In particular, these decisions adopt the following: Although the new standard contractual clauses can be used from 27 June 2021, the European Commission has set two new deadlines for the transfer of personal data outside the EEA. The initial grace period allows controllers and subcontractors to execute the old CTCs until September 27, 2021. The second grace period allows controllers and subcontractors to rely on old CLAs executed before September 27, 2021 until December 27, 2022. From the latter date, companies that have relied on old CLAs to transfer personal data outside the EEA should be fully switched to the new CLAs. “The new standard contractual clauses also require that this assessment be documented and made available to EU data protection authorities upon request,” Gordon said. “Many U.S. multinationals will have to rely heavily on external consultants to prepare for the required assessment.” The Standard Contractual Clauses (SCCs) are an addendum to the contract with provisions on the processing of personal data. The explicit wording of the CLAs has been pre-approved by the European Commission (Commission) for use in a contract for the legal transfer of this information from the European Union/European Economic Area (EU/EEA) to other countries that are supposed to have less stringent data protection laws. CCAs are heavily used to facilitate international data transfers and global business activities.
The existing CTCs were adopted more than a decade ago, date back to the time before the General Data Protection Regulation (GDPR) and are considered somewhat outdated. As mentioned earlier, since the adoption of the GDPR, a number of EU regulators have published their own drafts and DPA templates to provide an easy-to-implement tool for companies to comply with the GDPR. Although the European Commission`s standard contractual clauses come a few years after the adoption of these national DPA models, they should improve the consistent application of the GDPR in the EU. To maintain the validity of these CCAs, it is important to note that they cannot be modified, but can be extended or included as part of a broader contract, provided that these additions do not contradict or divert the attention of these SCCs as written. Notwithstanding the above, these SCCs are no longer the only available means of processing personal data between controllers and processors under the GDPR. The parties are always free to conclude their own agreement for such processing, as long as the mandatory clauses described in the GDPR are included. Standard contractual clauses for data transfers between EU and third countries. Under the new CBAs, the European Commission has adopted a single set of clauses within a contract comprising three types of provisions: (i) fixed clauses that must remain unchanged regardless of the parties executing the new CBAs; (ii) modules to be added/removed from the final contract, depending on the parties performing the new CCTs (C2C, C2P, P2C and P2P) and their choice from the available options; and (iii) blank clauses and annexes to be completed and supplemented by the parties with relevant information (e.B the categories of data transmitted, the data subjects, etc.).
[5] Unlike other frameworks for the transfer of personal data outside the EEA provided for in Articles 46 and 47 of the GDPR, such as Binding Corporate Rules (“BCRs”), approved codes of conduct and certification mechanisms, or ad hoc contractual clauses negotiated in private between controllers and/or processors. All of these mechanisms require or require the intervention of a regulatory authority or a certified/authorised third party to monitor and authorise the transfer of personal data outside the EEA. In this context, the European Commission launched the procedure for the adoption of these standard contractual clauses on 12 November 2020 when it adopted draft implementing decisions for the new CBCs and standard contractual clauses for data protection authorities. The out of 4. The decisions adopted in June 2021 take into account the joint opinion of the European Data Protection Board (EDPS), feedback from stakeholders and the views of Member States` representatives. On 4 June 2021, the Commission published two new CBCs. The first sentence replaces the old CLAs for cross-border data transfers to third countries. The second sentence is intended to be used between controllers and processors – previously, organisations had to create their own contractual conditions to fulfil the obligations between the controller and the processor under the GDPR, which is likely to bring much more uniformity to these relationships.
The publication of the final version of the standard contractual clauses, and in particular the new CBAs on the transfer of personal data to third countries, was eagerly awaited. The former CBAs were specific contractual instruments adopted by the European Commission to take account of specific situations: C2C transfers (cpc 2001) and C2P transfers (CCS 2010). The Standard Contractual Clauses for Data Protection Authorities adopted by the European Commission on 4 June 2021 therefore aim to provide a single, prima facie legal DPA on which companies and organisations can rely and execute to govern their relationship between the controller and the processor. The European Commission may decide that the standard contractual clauses provide sufficient safeguards for data protection so that data can be transferred internationally. “Many organizations have hundreds or thousands of contracts that need to be evaluated and updated,” Francis said. “The new standard contractual clauses apply to commercial relationships that were not covered by the old version, such as. B a US customer who uses a service provider in the EU, so it is not as easy to simply exchange the old conditions for the new ones. For data importers who are subcontractors, as modules two and three also include the mandatory clauses of the GDPR, they are likely to be used only for transfers outside the EU to data processors (whereas the former CTCs were previously generally attached to a separate data processing agreement (“DPA”) that included the mandatory clauses of the GDPR). Modules two and three can reduce or even eliminate the need for a separate DPA, but it is important to note that since the SCC Set One remain valid, the SCC Set Two cannot be modified and all the conditions of a current DPA you have will be replaced by the SCC in case of conflict.
If your company is a data processor outside the EU, we recommend that you review and compare the DPAs you currently have with applicable third parties to understand your future obligations – especially as these new CTCs may become the new market standard. You can also extend new CTCs to meet the specific needs of your business, which is possible as long as these additions don`t contradict or distract from written CTCs. Article 28(3) also contains the following specific clauses or clauses to be included in the contract: All new contracts must use the new standard contractual clauses after 21 September 2021. If, after this period, employers with employees in the EU provide data without adequate legal protection, they could face fines or legal proceedings. THE COLLECTIVE AGREEMENTS are standard sets of contractual conditions that the sender and recipient of the personal data sign and guarantee that the rights and freedoms of the individual are taken into account and maintained. These will replace the old 2010 Standard Contractual Clauses. The new clauses reflect changes implemented with the eu`s new data protection law, the General Data Protection Regulation (GDPR) of 2018. The GDPR restricts the types of personal data that can be legally transferred. Strengthening the rights of data subjects: Data subjects may enforce several provisions of the new CLAs against the data exporter and importer. Under the former SCCs, data subjects could only enforce third-party beneficiary clauses against the data importer or sub-processor if the data exporter and, in the case of a sub-processor, the data importer effectively disappeared or legally ceased to exist. The use of these standard contractual clauses for data protection authorities gives controllers and processors a certain additional degree of security with regard to their compliance with Article 28 of the GDPR, in particular vis-à-vis supervisory authorities or national courts in the event of disputes.
Although data protection authorities that do not comply with the standard contractual clauses of the European Commission or supervisory authorities are not illegal per se, they are expected to be subject to scrutiny if they are the subject of disputes or fall within the authorities` line of sight. The new CLAs have a modular structure of clauses that data exporters will use depending on the nature of their roles and responsibilities with regard to the transfer of data in question: under the GDPR, the European Commission is empowered to adopt implementing acts, in particular: (i) the creation of standard contractual clauses for data protection authorities between responsible bodies and processors, as well as between processors and processors and subcontractors and sub-processors (Article 28(7) GDPR) and (ii) the creation of standard contractual clauses as appropriate protection for the transfer of personal data to third countries (Article 46(2)(a) GDPR). On 4 June, the European Commission approved new standard contractual clauses to allow the transfer of personal data from the European Union to other countries such as the United States. The GDPR contains specific and mandatory clauses that must be included in contracts between data controllers and processors where those processors process EU personal data on behalf of those data controllers. . . .