Transferring personal data to contractual partners outside of the EU requires safeguards for data protection. The most important instrument for this in practice is the EU standard contractual clauses. The EU Commission has now adapted these clauses to the EU General Data Protection Regulation (GDPR). The new clauses take account of the case law of the ECJ (“Schrems II”) and also now cover data exports by EU data processors. Companies must incorporate the new clauses into their processes for international transfers and adapt existing agreements with service providers and other data recipients outside the EU.
In parallel, the EU Commission has also adopted standard contractual clauses that can be used for controller-processor agreements within the EU. In the future, contracting practice will thus be standardized and companies will gain legal certainty.
Read on to learn what to do now.
Background
Chapter V of the GDPR requires appropriate safeguards for data transfers to non-EU countries to ensure an adequate level of data protection at the recipient. For this purpose, the EU standard contractual clauses are usually agreed with the recipient. The previous clauses were based on the old EU Data Protection Directive and required adaptation to the GDPR. After long preparation, the EU Commission has adopted revised standard contractual clauses on July 4, 2021.
The Commission has made the clauses more widely applicable and eliminated practical problems. For example, previously there were only contractual clauses for data exports by controllers in the EU to controllers or processors outside the EU (controller-to-controller or controller-to-processor). The new clauses additionally cover cases where processors export data from the EU (processor-to-controller and processor-to-processor). This eliminates the previous need to conclude direct contracts with sub-processors of EU service providers in certain cases.
International data transfers have come into focus due to the “Schrems II” decision (C- 311/18) of the ECJ. The court overturned the Privacy Shield agreement, but continued to allow the export of data on the basis of EU standard contractual clauses. However, for transfers to countries such as the USA, whose laws provide for extensive disclosure requests and surveillance measures against which limited legal protection is available, the ECJ demanded additional guarantees of a contractual, technical or organizational nature. The Commission has now taken this into account with a clause that obliges data importers to provide information about and, if necessary, to take legal action against government requests for disclosure. In the view of the EU supervisory authorities, however, further measures such as special encryption may remain necessary for U.S. transfers.
Less attention than the standard contractual clauses for international contracts has been paid to the model contracts for controller-processor agreements pursuant to Art. 28 GDPR, which were published for the first time. These could become the de facto standard also within the EU and simplify negotiations with service providers in the EU in the future.
What do Companies Need to Do Now?
In the first step, companies must integrate the new EU standard contractual clauses into their contractual processes with international service providers. In the second step, they should review their existing contractual relationships with international partners and systematically update them to the new clauses. Intra-group agreements on data transfer should also be taken into account. Finally, companies should also take note of the new model contracts for commissioned processing and check whether they would like to use these in the future to simplify their contractual practice in the EU as well or adapt their own templates.
How are the New EU Standard Contractual Clauses to be Applied?
The new clauses include four modules to be used depending on the constellation: (1) controller-controller, (2) controller-processor, (3) processor-processor and (4) processor-controller. As before, there is an Annex 1 in which the details of the transfer are to be described as well as Annex 2 on technical-organizational measures (except for case (4)). New for cases (2) and (3) is the list of subcontractors, which must be maintained as Annex 3 if a separate authorization is agreed instead of a general authorization.
The clauses also contain some options including the choice of the EU Member State whose law is to apply to the clauses. In this respect, the clauses must be carefully filled out for the respective case. Companies and consultants should familiarize themselves with this in the coming weeks and, if necessary, prepare templates for typical cases from their own practice.
May the Old EU Standard Contractual Clauses Still be Used?
The previous EU standard contractual clauses can still be used for new contracts until September 26, 2021. Contracts concluded in this way can remain unchanged until December 27, 2022, but must then be adapted (see the next point).
When Do Legacy Contracts Have to be Revised?
Contracts that contain the old EU standard contractual clauses must be converted to the new version by December 27, 2022.
To do this, you should first draw up an overview of all contractual partners with whom your company has previously agreed the EU standard contractual clauses. This concerns, for example, contracts with cloud providers that provide hosting or support outside the EU (e.g. Microsoft, AWS or SAP). But also consider contracts with smaller service providers (controller-to-processor) as well as with controllers (controller-to-controller).
Set a timetable for updating contracts by December 2022 at the latest. In principle, it makes sense to write to the contract partners now and propose a changeover to the new EU standard contract clauses. In the case of larger providers (such as hyperscalers), you can assume that they will first review the clauses and integrate them into their contracts and update old contracts in the coming months; in this respect, you can make a note of a resubmission for the end of the year and then approach these providers if necessary.
What about Intercompany Contracts?
Intra-group contracts for the transfer of personal data must also be updated. Since the new clauses cover even more case constellations than before, they are better suited for regulating intra-group data exchange anyway. Therefore, commission a revision in good time. Again, the deadline by which new group agreements must enter into force is December 27, 2022.
Is “Schrems II” Finished With That?
Probably not. The EU Commission has made efforts to include additional contractual guarantees in the new clauses. However, the European data protection authorities have expressed scepticism in advance that this will be sufficient for all cases of transfers to the U.S., for example. The new clauses are therefore helpful, but presumably do not end the ongoing discussion about the need for additional measures for transfers to countries such as the U.S..
What Opportunity do the New Model Contracts for Controller-Processer Agreements Offer?
The model agreements for commissioned processing pursuant to Art. 28 GDPR issued in parallel – these somewhat confusingly share the official name “standard contractual clauses” – do not imply any mandatory action. Their use is optional. However, they offer opportunities. As an official model contract, they can shape future legal practice. The use of these clauses is likely to facilitate negotiations with service providers (or, as the case may be, clients). Companies should leverage this potential by critically reviewing their previously used templates and, where appropriate, adapt them to the new standard clauses.