On June 4, 2021, the EU Commission published new standard data protection clauses for the transfer of personal data to so-called third countries, i.e., countries outside the EU. The new EU standard data protection clauses replace the predecessor models from 2010 and 2001, which were still based on the Data Protection Directive, and are intended to facilitate the implementation of the Schrems II decision’s requirements. Companies should now check: Is personal data transferred to third countries outside the EU? Are EU standard data protection clauses already being used? Is there an adequate level of data protection in the third country?
What is the standard data protection clauses’ purpose?
Any transfer of personal data (“data transfer”) to a third country outside the EU requires compliance with special conditions laid down in the General Data Protection Regulation (“GDPR”). This means that a data transfer to a third country may only take place if this is done, for example, on the basis of
- an adequacy decision (Art. 45 GDPR),
- binding corporate rules (Art. 47 GDPR), or
- standard data protection clauses (Art. 46 (2) (c) GDPR).
Why were new standard data protection clauses adopted?
The ECJ's so-called Schrems II decision, which resulted in data transfers from the EU to the US no longer being protected by the “Privacy Shield” – an adequacy decision between the EU and the US (cf. Art. 45 GDPR) – triggered the development of new standard data protection clauses by the EU Commission.
However, the decision not only affected data transfers to the US but stipulated in general that controllers had to ensure for every data transfer to a third country that the transferred personal data will be adequately protected in a manner comparable to EU practice. For this purpose, since the Schrems II decision, data controllers must conduct a review of the legal situation in the third country and, when concluding standard contractual clauses, ensure that, if necessary, additional contractual, technical and organizational measures are implemented in order to guarantee an adequate level of data protection in the third country as well.
The new EU standard data protection clauses are intended to better reflect the requirements for the legal situation after the Schrems II decision, but will, however, not be able to replace a review of the legal situation in the third country and the taking of additional measures.
How are the new standard data protection clauses structured?
The new EU standard data protection clauses are designed to accommodate a wide range of complex personal data processing chains.
A modular structure is used for this purpose:
- MODULE ONE: Transfer from controller to controller
- MODULE TWO: Transfer from controller to processor
- MODULE THREE: Transfer from processor to processor
- MODULE FOUR: Transfer from processor to controller
In particular the latter two constellations, i.e., data transfer from an EU processor, were previously not provided for by the former EU standard data protection clauses.
The new EU standard data protection clauses also allow for more than two parties to enter into standard data protection clauses. Furthermore, additional parties can “join” already concluded standard protection clauses, which is supposed to better map such a contractual relationship’s lifecycle.
Case-by-case review still required for transfers to third countries
Although the new standard contractual clauses were created in part as response to the ECJ's Schrems II decision, they do not release the contracting parties from continuing to examine the legal situation in the third country in detail and from taking additional measures and guarantees to ensure an adequate level of data protection in the third country. Therefore, there is still no kind of “carte blanche” for international data transfers. However, the new EU standard data protection clauses better reflect this issue.
Obligations towards data subjects
The new EU standard data protection clauses also contain new obligations towards data subjects whose personal data are being processed. For example, data subjects must be provided with a copy of the standard data protection clauses. This means, that in future, a typical online privacy notice clause should include a link that allows users to download the relevant standard protection clauses. The data importer will also be required to provide a contact person in the future who will process complaints from EU data subjects directly.
The old standard data protection clauses from 2010 and 2001 will be repealed within the next three months and can subsequently only be used for a further 15 months. This means that controllers or processors in the EU must have negotiated and concluded the new standard data protection clauses with their processors or controllers in third countries in 18 months at the latest.
- Check whether you transfer personal data to a third country outside the EU. Remote access from the USA may already be sufficient for this.
- Check whether you already use EU standard data protection clauses and replace them with the new EU standard data protection clauses.
- Check in advance whether an adequate level of data protection exists in the third country or what additional measures need to take to ensure an adequate level of data protection.
Coordinated action by the supervisory authorities
On June 1, 2021, several data protection supervisory authorities (Berlin, Brandenburg, Bavaria, Lower Saxony, Baden-Württemberg, Bremen, Hamburg, Rhineland-Palatinate, Saarland) announced that they will conduct a coordinated review of compliance with the requirements of the GDPR and the Schrems II decision on international data transfers by means of questionnaires. This brings compliance with the requirements for international data transfers into the supervisory authorities’ focus. Companies should therefore prepare themselves to receive the following questionnaires and be compliant with data protection requirements.