Overview and implementation guide - New SCCs

Next Steps until Publication

Following public consultation until 10 December 2020, the Commission will publish final draft by end 2020. Final SCC will be published in 2021 after completion of a Committee consultation with member state representatives and in consideration of opinions from the EDPB and the European Data Protection Supervisor.

Brexit

UK likely to adopt similar SCC under UK privacy regime following Brexit.

Date of Application

New contracts must apply the SCCs as of the date of application. 

For existing contracts, a one-year transition period applies after publication during which data transfers can continue. But if existing contracts are amended (except for mere Schrems II amendments defining supplementary measures), parties must move to the new SCC.

Actions

• Prepare ready-to-sign versions of the SCC for all relevant situations. Various options must be selected and information completed in the SCC template.
• As of publication date: Include the applicable SCC version in all new contracts.
• Initiate process to uplift existing contracts within one year after publication date. 
• Advise your processors on need to enter into P2P SCCs with their sub-processors.

Multi-party Design

The SCC are designed for multi importer / exporter situations. Accession of further parties is possible under a docking clause.

Actions

• Set up SCC as multi-party agreements and include all relevant parties from the beginning, in particular where services are provided to various affiliates within a group.
• The SCC docking clause requires consent of all existing parties which may not always be practical. To achieve the intended flexibility, a more practical accession mechanism should be established (supplementing the SCC).

Non-EU Data Exporters

In consideration of the extra-territorial scope under Article 3 (2) GDPR, the SCC are now expressly to be used also by non-EU parties who process personal data under the GDPR.

Relevant Processing Situations

The SCC apply a modular approach incorporating the following data transfer scenarios in one set of SCC:

• Controller to controller (C2C);
• Controller to processor (C2P);
• Processor to (sub-)processor (P2P);
• Processor to Controller (P2C).

Note:   The current SCC had already required the importer to warrant that it has no reason to believe that applicable local legislation prevents it from fulfilling its obligations under the SCC. In the light of Schrems II, this concept has now been massively expanded.

Transfer Impact Assessment (TIA)

Parties must carry out a TIA considering defined criteria and, based on the TIA, warrant they have no reason to believe local law would prevent them to comply with the SCC.

Note:  TIA criteria are the following: Law and practice in third country, duration of contract; scale and regularity of transfers; length of processing chain and transmission channel used; type of recipient; purpose of the transfer and nature of the data transferred.

Access Notification

Importer must promptly notify data exporter and (if possible) data subjects of any government access request, or actual access taken, with minimum content defined. Where notification is prohibited, importer must seek a waiver and notify promptly once the prohibition has ceased.

Access Defence

Importer must take the following steps in response to any governmental access requests:

• Assess options to challenge the request, seek interim suspension if there are valid grounds;
• Limit data disclosed to minimum required by law.

Access Documentation

Importer must provide comprehensive documentation of all proceedings and his assessments to the exporter and, upon request, to the EU Supervisory Authority (SA). 

Adverse Change Notification

Importer must promptly notify exporter if it has reason to believe that it may no longer be able to comply with the SCC, including as a result of a government access request.

Adverse Change Process

The following process must be applied if exporter believes that importer can no longer comply with SCC (e.g. as a result of an Adverse Change Notification or based on own assessment):

• Exporter to determine if it (or importer) can apply appropriate safeguards to remedy the concern.
  
  • If yes: Apply safeguards, continue transfer, notify and explain safeguards to SA.
  • If no (or if so instructed by SA): Stop transfer and inform SA.

• If transfer is stopped: Exporter is entitled to terminate the contract.

Note:  The SCC remain silent on what impact termination has on the underlying commercial agreements. The parties need to consider the special termination right under the SCC and agree on appropriate consequences.

Access Transparency Report

Importer must regularly provide a report to the exporter with general information about access requests received.

Actions

• Exporter to develop TIA procedure and format of documentation. Ensure TIA is conducted prior to data transfer to third countries and kept on file.
• Importers must clarify scope of governmental access rights under their local law and the remedies available. Assessments must be made available to exporter and, upon request, to SA.
• Importers must establish and document Access Notification and Adverse Change Notification process.
• Importer and exporter to establish and document process to notify data subjects about any governmental access or access requests. If the importer does not have the required information (e.g. does not have contact details), the exporter must provide any missing information.
• Importers must prepare regular Access Transparency Report.
• Exporters must establish and document Adverse Change Process.
• As a result of the new P2C scenario (see below), importer controllers may be required to inform their exporter processors in the EEA of any access requests received by their governmental authorities under local law. However, the Schrems II obligations apply to the P2C constellation only, if the EEA processor combines controller data with data collected by the processor in the EEA.

Stricter Limitation of Purpose

Importer is not permitted to use data for purposes which are "incompatible" with those disclosed in the SCC. An exception applies if the data subject consents. 

Extended Data Subject Information

The importer controller must inform data subjects about the following:

• Identity and contact details;
• Changes of processing purpose;
• Third party transfers: Identity and purpose of transfer;
• Upon request: Provide a copy of clauses (as in the current SCC).

Note:  The extended information obligation could become quite onerous in practice. An option to streamline communication would be to provide the information through the exporter.

Also, an exception applies where information of each data subject would be impractical. This would include situations where the importer does not have the required contact details to inform each data subject. In these situations, the importer could publish the information on its website.

Data Retention Obligations Introduced

Importer must apply data retention policy and implement appropriate TOMs to ensure it is able to delete or anonymize data, including data in backups.

Data Accuracy and Data Minimization

Both parties must notify reach other of and correct any inaccurate data. Importer must minimize the data it processes to what is needed for the purpose.

Extended Data Subject Rights

Importer must comply with requests for access, erasure and objections to processing for direct marketing. In addition, importer must inform data subject about automated decision making and offer at least an opportunity to contest automated decisions.

The importer may refuse to act on excessive requests or chare a reasonable fee. Further, data subject requests may be refused on the basis of the local law of the importer.

Note:   Under the current SCC, the importer is only responsible for responding to data subject enquiries if so agreed with the exporter and no specific obligations for the importer are set out in the SCC. In consideration of the enhanced data subject rights under GDPR, this responsibility has been significantly expanded and now includes all relevant GDPR rights, except for the right to portability and restriction of processing.

Accountability

Controller importers must keep, and make available to SA upon request, documents proving compliance with the SCC. However, this does not include an obligation to maintain a ROPA or conduct a DPIA. 

Onward Transfers

Further transfers to third parties are permissible only if:

• Third party is bound by SCC, adequacy decision or appropriate safeguards;
• agreement with 3rd party which offers same protection as SCC plus exporter gets copy; or 
• explicit consent of data subject plus notice to exporter.

Note:  The onward transfer rules are similar to current rules. The new SCC provide more flexibility for agreements with the third party (because no SA approval is required) but less flexibility on data subject consent (under the current SCC it is sufficient to give the data subject an opportunity to object).

Data Breach Notification

Importer must notify exporter, SA and data subjects if data breach is "likely to result in significant adverse effects". Content of the notification is similar to GDPR.

Note:  Current SCC do not contain a data breach notification obligation for the importer. The notification hurdle for the importer controller is likely higher than under Articles 33, 34 which require a "high risk to the rights and freedoms of natural persons".

Actions

• Importer and exporter to agree, establish and document appropriate data subject information process. To be checked whether an exception applies and publication of information on importer's website is sufficient.
• Importer to establish and document a Data Retention Policy. As the SCC explicitly include data in backups, importer must also develop a concept for deleting or anonymizing data in backups or (if deletion is not practical) a concept for securing and blocking backup data against access. 
• Importer to establish and document process to comply with data subject right requests.
• Importer to review and uplift any onward transfer agreements so that they comply with SCC standards. Importer to roll out SCC for onward transfers, where required.

Data Subject Information

Parties must provide copy of SCC to data subject upon request (subject to redaction).

Note:  This is already provided in the current SCC. There are no further information obligations included in the C2P module of the SCC as such information obligations are attached to the EEA controller under GDPR.

Data Accuracy and Data Minimization

Both parties must notify reach other of and correct or delete any inaccurate or outdated data. Processor must cooperate with controller to erase of rectify data.

Accountability and Audits

Processor must keep, and make available to exporter and SA upon request, appropriate documentation to prove compliance with the SCC. This includes records of processing activities carried out on behalf of the controller. The audit rules are more detailed but substantially similar to current SCC.

Note:  The SCC do not define content and format of the accountability documentation. In particular, the requirements for the processor to maintain a processor ROPA (Article 30(2) GDPR) are not expressly mirrored in the SCC. Nevertheless, it makes sense for processors to use the format under GDPR to comply with accountability principles.

Data Breach Process

Importer must (i) take mitigation measures; (ii) notify exporter (content similar to GDPR) and (iii) assist exporter to comply with its GDPR data breach reporting process.

Note:  The data breach obligations of the importer have been expanded to reflect the need to assist the controller to comply with its breach notification obligations under the GDPR. In practice, the relevant requirements have already been included in the data processing agreements.

Sub-Processing

If the processor intends to engage a sub-processor to carry out specific processing activities on behalf of the controller, the processor must enter into a sub-processing agreement which mirrors the data protection obligations under the SCC. Upon request, processor must provide a copy of the agreement with the sub-processor to controller.

In relation to obtaining controller's consent, there are now two options available: 

1. Specific authorization of the controller is required prior to engagement of any sub-processor, approved sub-processors are disclosed in Annex III which is constantly updated. 
2. General written authorization of controller is given, approved sub-processors are disclosed in Annex III, controller is notified of intended appointment of new sub-processor and has right to object.

Note:  As under the current SCC, a sub-processing agreement is not required for general services rendered to the processor (such as document destruction) which are not conducted on behalf of the controller.

The concept for consent to sub-processing has now been aligned with the GDPR and is more flexible than the strict prior consent requirement under the current SCC. Option (2) reflects the current market practice for processors which, by nature of their business, have a large customer base and are not prepared to limit their flexibility by having to obtain each controller's consent. Option (1) is frequently applied in more tailored relationships.

Onward transfers

Onward transfers are permissible only upon instruction of the controller and if the third party is bound by SCC, adequacy decision or appropriate safeguards. The onward transfer requirements apply in addition to the rules for engaging sub-Processor but are considered to be fulfilled if a sub-processor agreement is entered into which mirrors the data protection obligations under the SCC.

Note:  The current SCC did not contain any explicit rules on onward transfers. Nevertheless, the new concept is rather a clarification of the situation under GDPR than a substantive change.

Actions

• Parties to agree and prepare redacted SCC version for delivery to data subjects.
• Processor to determine appropriate scope of accountability documentation, in particular the format of a register of processing operations.
• Processor to establish and document a data breach notification procedure.
• Parties to opt for specific or general written authorization. The time limit for the notification of the controller prior to engagement of a sub processor must be agreed and specified.
• Supplementary rules regarding the further process in case of non-approval or objection of the controller to be agreed.

Note:  The P2C concept applies to situations where an EEA based processor acts on behalf of a non-EEA controller. Generally, an EU based data processor is subject to the GDPR only in relation to its duties as a processor. The non-EEA controller does not become subject to the GDPR by engaging an EU based processor and the processing activities as such are also not subject to the GDPR.

For this reason, the SCC set out only limited obligations for this scenario.

General Concept for Controller Instructions

The EEA processor must process data only on instructions from the non-EEA controller. If the processor is unable to follow the controller's instructions, in particular if such instructions would prevent the processor to comply with the GDPR, it must notify the controller immediately. The controller shall not take any actions that would prevent the processor to comply with the GDPR, including the processor's obligation to cooperate with the EU SAs.

Note:  As stated above, this only relates to the specific obligations attached to the processor as such under GDPR. This includes for example the requirement to maintain appropriate data security standards in accordance with the GDPR and to create and maintain appropriate accountability documentation (e.g. the processor ROPA). However, the scope and purposes of the actual processing of data on behalf of the controller is not subject to the GDPR but to the data protection law applicable to the controller.

Data Subject Rights

Parties to assist each other in responding to data subject requests under local law of the importer or, in relation to the processing by the exporter in the EU, under GDPR.

Technical and Organizational Measures (TOMs)

Both parties are under an obligation to apply appropriate TOMs.

Accountability and Audits

The parties are required to be able to demonstrate compliance with the SCC.

Actions

• Parties to identify relevant situations and enter into SCCs. As stated above in the "Schrems II Rules" section, the Schrems II rules are only applicable if the EEA processor collects data in the EEA and combines such data with controller data.
• Non-EEA controller to determine appropriate scope of accountability documentation, in particular processes for responding to data subject requests.

Contact for Complaints or Requests

Importer must publish contact details of a person authorized to handle complaints and requests.

Disputes and Mediation (does not apply to P2C)

Parties agree to keep each other informed and cooperate in the event of a dispute with a data subject regarding compliance with the SCC.

Data importer must accept data subject decision to lodge a complaint with a competent SA or refer the dispute to the competent courts and must abide with a decision binding under EU law. Data subjects may be represented by non-profit organisations under Article 80 GDPR.

C2C and P2C

Non-material damages are now expressly included. 

Data subject may claim damages directly from the party which caused the damage. If more than one party is responsible, the parties are jointly and severally liable and the data subject may claim damage from either party.

C2P and P2P

Non-material damages are now expressly included. 

Data importer (processor or sub-processor) is responsible for any damage caused by it.

Data exporter (controller or processor) is responsible for any damage caused by it or by the data importer. Where the data exporter is a processor, this is without prejudice to the liability of the controller. If more than one party is responsible, the parties are jointly and severally liable and the data subject may claim damage from either party.

Note:  Data subject position in disputes has been strengthened, in particular by including non-material damage claims and introducing joint and several liability of data exporter and data importer.

Competent SA

The SA responsible for the data transfer by the data exporter or, if the data exporter is not established in the EEA, the SA of the member state in which the data subjects whose data are transferred are located, is deemed the competent SA.

Supervision

The data importer agrees to submit to the jurisdiction of the competent SA in any procedures aimed at ensuring compliance with the SCC, in particular respond to inquiries, submit to audits and comply with any measures adopted by the SA.

Note:  The powers and competences of the EU Supervisory Authority have been strengthened by requiring the importer to submit to its jurisdiction.

Special Termination Right for Non-compliance

Data exporter may terminate the main contract if:

1. data exporter has suspended the data transfer and compliance with the SCC is not restored within a reasonable time and in any event within one month;
2. data importer is in substantial or persistent breach of these Clauses; or
3. data importer fails to comply with a binding decision of a competent court or the competent supervisory authority regarding its obligations under these Clauses.

In this case, exporter shall inform the competent SA of such non-compliance.

Parties may choose the law of any member state which allows for third party beneficiary rights.