Overview and implementation guide - New SCCs
The New SCC
What you need to know ... and what's to do
On November 12, 2020, the European Commission published the draft standard contractual clauses (SCC). The SCC will likely enter into force in early 2021 and must from then be applied for any new contracts. For existing contracts, there is a grace period of one year to replace the SCC, provided that you do not amend these contracts before. For further details on timing, please check the "Roadmap" section below.
We recommend you start getting SCC-ready, as this will not be done by simple amendment agreement. You will need to design and document new processes, conduct formal assessments, provide enhanced information to data subjects and push new rules down the chain of sub-processors and to partners with whom you share data.
The good news: The SCC are a significant improvement to the current SCC from a contractual perspective. They fix known deficiencies and gaps and provide a structure to address the Schrems II challenges.
For a quick briefing, please read the Executive Box below. If you would like an explanation of the relevant changes, what's their practical relevance and what you need to do to comply, please refer to the Details, Guidance and Actions table on the next page.
As always, we are happy to support and guide you through this process.
executive box |
---|
|
Details, Guidance and actions
This overview table sets out the differences between the new and the current SCC which are of practical relevance for you. The green boxes provide practical guidance on interpretation, background and practical impact. The red boxes specify the action items required for implementing the new SCC.
Roadmap to Roll-out |
---|
Next Steps until PublicationFollowing public consultation until 10 December 2020, the Commission will publish final draft by end 2020. Final SCC will be published in 2021 after completion of a Committee consultation with member state representatives and in consideration of opinions from the EDPB and the European Data Protection Supervisor. BrexitUK likely to adopt similar SCC under UK privacy regime following Brexit. Date of ApplicationNew contracts must apply the SCCs as of the date of application. For existing contracts, a one-year transition period applies after publication during which data transfers can continue. But if existing contracts are amended (except for mere Schrems II amendments defining supplementary measures), parties must move to the new SCC. |
Actions
|
Multi-party Design |
Multi-party DesignThe SCC are designed for multi importer / exporter situations. Accession of further parties is possible under a docking clause. |
Actions
|
Non-EU Data Exporter |
Non-EU Data ExportersIn consideration of the extra-territorial scope under Article 3 (2) GDPR, the SCC are now expressly to be used also by non-EU parties who process personal data under the GDPR. |
Processing Situations |
Relevant Processing SituationsThe SCC apply a modular approach incorporating the following data transfer scenarios in one set of SCC:
|
Schrems II Process |
Note: The current SCC had already required the importer to warrant that it has no reason to believe that applicable local legislation prevents it from fulfilling its obligations under the SCC. In the light of Schrems II, this concept has now been massively expanded. |
Transfer Impact Assessment (TIA)Parties must carry out a TIA considering defined criteria and, based on the TIA, warrant they have no reason to believe local law would prevent them to comply with the SCC. |
Note: TIA criteria are the following: Law and practice in third country, duration of contract; scale and regularity of transfers; length of processing chain and transmission channel used; type of recipient; purpose of the transfer and nature of the data transferred. |
Access NotificationImporter must promptly notify data exporter and (if possible) data subjects of any government access request, or actual access taken, with minimum content defined. Where notification is prohibited, importer must seek a waiver and notify promptly once the prohibition has ceased. Access DefenceImporter must take the following steps in response to any governmental access requests:
Access DocumentationImporter must provide comprehensive documentation of all proceedings and his assessments to the exporter and, upon request, to the EU Supervisory Authority (SA). Adverse Change NotificationImporter must promptly notify exporter if it has reason to believe that it may no longer be able to comply with the SCC, including as a result of a government access request. Adverse Change ProcessThe following process must be applied if exporter believes that importer can no longer comply with SCC (e.g. as a result of an Adverse Change Notification or based on own assessment):
|
Note: The SCC remain silent on what impact termination has on the underlying commercial agreements. The parties need to consider the special termination right under the SCC and agree on appropriate consequences. |
Access Transparency ReportImporter must regularly provide a report to the exporter with general information about access requests received. |
Actions
|
C2C Rules |
Stricter Limitation of PurposeImporter is not permitted to use data for purposes which are "incompatible" with those disclosed in the SCC. An exception applies if the data subject consents. Extended Data Subject InformationThe importer controller must inform data subjects about the following:
|
Note: The extended information obligation could become quite onerous in practice. An option to streamline communication would be to provide the information through the exporter. Also, an exception applies where information of each data subject would be impractical. This would include situations where the importer does not have the required contact details to inform each data subject. In these situations, the importer could publish the information on its website. |
Data Retention Obligations IntroducedImporter must apply data retention policy and implement appropriate TOMs to ensure it is able to delete or anonymize data, including data in backups. Data Accuracy and Data MinimizationBoth parties must notify reach other of and correct any inaccurate data. Importer must minimize the data it processes to what is needed for the purpose. Extended Data Subject RightsImporter must comply with requests for access, erasure and objections to processing for direct marketing. In addition, importer must inform data subject about automated decision making and offer at least an opportunity to contest automated decisions. The importer may refuse to act on excessive requests or chare a reasonable fee. Further, data subject requests may be refused on the basis of the local law of the importer. |
Note: Under the current SCC, the importer is only responsible for responding to data subject enquiries if so agreed with the exporter and no specific obligations for the importer are set out in the SCC. In consideration of the enhanced data subject rights under GDPR, this responsibility has been significantly expanded and now includes all relevant GDPR rights, except for the right to portability and restriction of processing. |
AccountabilityController importers must keep, and make available to SA upon request, documents proving compliance with the SCC. However, this does not include an obligation to maintain a ROPA or conduct a DPIA. Onward TransfersFurther transfers to third parties are permissible only if:
|
Note: The onward transfer rules are similar to current rules. The new SCC provide more flexibility for agreements with the third party (because no SA approval is required) but less flexibility on data subject consent (under the current SCC it is sufficient to give the data subject an opportunity to object). |
Data Breach NotificationImporter must notify exporter, SA and data subjects if data breach is "likely to result in significant adverse effects". Content of the notification is similar to GDPR. |
Note: Current SCC do not contain a data breach notification obligation for the importer. The notification hurdle for the importer controller is likely higher than under Articles 33, 34 which require a "high risk to the rights and freedoms of natural persons". |
Actions
|
C2P Rules |
Data Subject InformationParties must provide copy of SCC to data subject upon request (subject to redaction). |
Note: This is already provided in the current SCC. There are no further information obligations included in the C2P module of the SCC as such information obligations are attached to the EEA controller under GDPR. |
Data Accuracy and Data MinimizationBoth parties must notify reach other of and correct or delete any inaccurate or outdated data. Processor must cooperate with controller to erase of rectify data. Accountability and AuditsProcessor must keep, and make available to exporter and SA upon request, appropriate documentation to prove compliance with the SCC. This includes records of processing activities carried out on behalf of the controller. The audit rules are more detailed but substantially similar to current SCC. |
Note: The SCC do not define content and format of the accountability documentation. In particular, the requirements for the processor to maintain a processor ROPA (Article 30(2) GDPR) are not expressly mirrored in the SCC. Nevertheless, it makes sense for processors to use the format under GDPR to comply with accountability principles. |
Data Breach ProcessImporter must (i) take mitigation measures; (ii) notify exporter (content similar to GDPR) and (iii) assist exporter to comply with its GDPR data breach reporting process. |
Note: The data breach obligations of the importer have been expanded to reflect the need to assist the controller to comply with its breach notification obligations under the GDPR. In practice, the relevant requirements have already been included in the data processing agreements. |
Sub-ProcessingIf the processor intends to engage a sub-processor to carry out specific processing activities on behalf of the controller, the processor must enter into a sub-processing agreement which mirrors the data protection obligations under the SCC. Upon request, processor must provide a copy of the agreement with the sub-processor to controller. In relation to obtaining controller's consent, there are now two options available:
|
Note: As under the current SCC, a sub-processing agreement is not required for general services rendered to the processor (such as document destruction) which are not conducted on behalf of the controller. The concept for consent to sub-processing has now been aligned with the GDPR and is more flexible than the strict prior consent requirement under the current SCC. Option (2) reflects the current market practice for processors which, by nature of their business, have a large customer base and are not prepared to limit their flexibility by having to obtain each controller's consent. Option (1) is frequently applied in more tailored relationships. |
Onward transfersOnward transfers are permissible only upon instruction of the controller and if the third party is bound by SCC, adequacy decision or appropriate safeguards. The onward transfer requirements apply in addition to the rules for engaging sub-Processor but are considered to be fulfilled if a sub-processor agreement is entered into which mirrors the data protection obligations under the SCC. |
Note: The current SCC did not contain any explicit rules on onward transfers. Nevertheless, the new concept is rather a clarification of the situation under GDPR than a substantive change. |
Actions
|
P2C Rules |
Note: The P2C concept applies to situations where an EEA based processor acts on behalf of a non-EEA controller. Generally, an EU based data processor is subject to the GDPR only in relation to its duties as a processor. The non-EEA controller does not become subject to the GDPR by engaging an EU based processor and the processing activities as such are also not subject to the GDPR. For this reason, the SCC set out only limited obligations for this scenario. |
General Concept for Controller InstructionsThe EEA processor must process data only on instructions from the non-EEA controller. If the processor is unable to follow the controller's instructions, in particular if such instructions would prevent the processor to comply with the GDPR, it must notify the controller immediately. The controller shall not take any actions that would prevent the processor to comply with the GDPR, including the processor's obligation to cooperate with the EU SAs. |
Note: As stated above, this only relates to the specific obligations attached to the processor as such under GDPR. This includes for example the requirement to maintain appropriate data security standards in accordance with the GDPR and to create and maintain appropriate accountability documentation (e.g. the processor ROPA). However, the scope and purposes of the actual processing of data on behalf of the controller is not subject to the GDPR but to the data protection law applicable to the controller. |
Data Subject RightsParties to assist each other in responding to data subject requests under local law of the importer or, in relation to the processing by the exporter in the EU, under GDPR. Technical and Organizational Measures (TOMs)Both parties are under an obligation to apply appropriate TOMs. Accountability and AuditsThe parties are required to be able to demonstrate compliance with the SCC. |
Actions
|
Redress and Disputes |
Contact for Complaints or RequestsImporter must publish contact details of a person authorized to handle complaints and requests. Disputes and Mediation (does not apply to P2C)Parties agree to keep each other informed and cooperate in the event of a dispute with a data subject regarding compliance with the SCC. Data importer must accept data subject decision to lodge a complaint with a competent SA or refer the dispute to the competent courts and must abide with a decision binding under EU law. Data subjects may be represented by non-profit organisations under Article 80 GDPR. |
Liability |
C2C and P2CNon-material damages are now expressly included. Data subject may claim damages directly from the party which caused the damage. If more than one party is responsible, the parties are jointly and severally liable and the data subject may claim damage from either party. C2P and P2PNon-material damages are now expressly included. Data importer (processor or sub-processor) is responsible for any damage caused by it. Data exporter (controller or processor) is responsible for any damage caused by it or by the data importer. Where the data exporter is a processor, this is without prejudice to the liability of the controller. If more than one party is responsible, the parties are jointly and severally liable and the data subject may claim damage from either party. |
Note: Data subject position in disputes has been strengthened, in particular by including non-material damage claims and introducing joint and several liability of data exporter and data importer. |
Supervision |
Competent SAThe SA responsible for the data transfer by the data exporter or, if the data exporter is not established in the EEA, the SA of the member state in which the data subjects whose data are transferred are located, is deemed the competent SA. SupervisionThe data importer agrees to submit to the jurisdiction of the competent SA in any procedures aimed at ensuring compliance with the SCC, in particular respond to inquiries, submit to audits and comply with any measures adopted by the SA. |
Note: The powers and competences of the EU Supervisory Authority have been strengthened by requiring the importer to submit to its jurisdiction. |
Termination |
Special Termination Right for Non-compliance Data exporter may terminate the main contract if:
In this case, exporter shall inform the competent SA of such non-compliance. |
Governing Law |
Parties may choose the law of any member state which allows for third party beneficiary rights. |
Further information
For more information please speak to your usual Ashurst contact or any of the people detailed below.
Key Contacts
We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.
Keep up to date
Sign up to receive the latest legal developments, insights and news from Ashurst. By signing up, you agree to receive commercial messages from us. You may unsubscribe at any time.
Sign upThe information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.