10/06/21

GDPR compliance - New standard contractual clauses

On 4 June 2021, the European Commission adopted the following two sets of new standard contractual clauses in the context of the General Data Protection Regulation (Regulation 2016/679, the GDPR):

  • standard contractual clauses replacing the old standard contractual clauses providing appropriate safeguards within the meaning of Article 46(1) and (2)(c) of the GDPR for the transfer of personal data by a controller or processor (data exporter) to a controller or (sub) processor whose processing is not subject to the GDPR (data importer)1; and
     
  • standard contractual clauses that can be used in contracts between controllers and processors who process personal data on behalf of the controller(s) for compliance with the requirements of Article 28(3) and (4) of the GDPR, regardless of whether there is a transfer or not;2

The main innovation in the standard contractual clauses for transfers of personal data to third countries reside in its modular structure giving the flexibility to cover various transfer scenarios within one single document, i.e. transfers from controller to controller, from controller to processor; from processor to processor and from processor to controller. The same set of standard contractual clauses equally covers the rights and obligations of controllers and processors with respect to the requirements in Article 28(3) and (4) of the GDPR.

These standard contractual clauses for transfers notably reflect some requirements deriving from the GDPR as interpreted in the light of the relatively recent developments on international transfers of personal data further to the outcome of the “Schrems II” case. Nevertheless, they do not remove the consequences of the CJEU ruling and the need to assess the necessity to adopt supplemental measures as recommended by the European Data Protection Board (in a version adopted for public consultations). On the foregoing and the consequences of Schrems II in particular, please see our article.

The decisions adopting the standard contractual clauses will enter into force on 27 June 2021.

Former standard contractual clauses will be repealed on 27 September 2021. Contracts concluded before that day that rely on former standard contractual clauses will remain valid for a period of 15 months ending on 27 December 2022, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards within the meaning of Article 46(1) of the GDPR.

1 See Commission Implementing Decision 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation 2016/679 and Article 29(7) of Regulation 2018/1725.

2 See Commission Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation 2016/679.

dotted_texture