GDPR permits data transfers to countries outside the EU / EEA only if certain safeguards are implemented to ensure an adequate level of data protection in the country of the data importer. The most common safeguard for securing such transfers are the so-called ‘standard contractual clauses’ (“SCCs”). On 4 June 2021, the EU Commission published a new set of SCCs.
Key Takeaways
Key takeaways regarding the new SCCs include:
- Modular approach – Instead of different sets of standard contractual clauses, there will be only one set, which can be adapted by selecting modular provisions in accordance with the constellation of the actual transfer. Specifically, the SCCs may be used for (1) controller-to-controller transfers; (2) controller-to-processor transfers; (3) processor-to-processor transfers; and (4) processor-to-controller transfers.
- Mandatory assessment – The new SCCs provide for a mandatory data transfer impact assessment to be carried out by the contracting parties. Both parties have to warrant that they have no doubts that the data protection laws in the receiving country (including any requirements to disclose personal data or measures authorizing access by public authorities) will not prevent the data importer from fulfilling its obligations under the SCCs, i.e. essentially that the third country’s requirements comply with European standards. The impact assessment must be documented and submitted to the supervisory authorities upon request.
- Like the current SCCs, the new SCCs may be included in a wider contractual setting, but may not be otherwise modified. Any additional terms may not contradict the SCCs. This includes, among others, a liability clause that makes it very difficult for data importers to limit their liability towards data subjects for any violations of the SCCs.
Data Transfer to Israel
At the moment, Israel has the status of an “adequate jurisdiction”, and as such organisations may freely transfer personal data from the EU to Israel without additional safeguards. If, however, at some point Israel should no longer be considered an adequate jurisdiction, organisations are most likely to turn to the SCCs as their alternative legal basis for the transfer. It is still unclear, though, if the required impact assessment of the local law addressed above would automatically lead to the conclusion that Israeli privacy protection laws “do not exceed what is necessary and proportionate” and thus essentially comply with European standards. If this threshold is not met, data transfer to Israel may be only possible with further safeguards. It is expected that any decision from the European Commission on this matter would include further guidance on this point.
Outlook
The new SCCs will come into force 20 days after publication in the Official Journal of the EU, which is expected to take place within the next few days. The existing SCCs will be repealed three months after the publication, and any new data transfer agreements entered into after that date will need to include the new SCCs. Organisations will then have 18 months to update existing contracts with the new SCCs.
As ever we are ready to assist with all your needs. Please don’t hesitate to contact us.