Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries
(EU GDPR Compliant, Controller to Processor)
Summary
These clauses contain "module two" of EU Standard Contractual Clauses (Model Clauses or SCCs) introduced by Commission Implementing Decision (EU) 2021/914 (2021 EU SCCs) for transfer of personal data from a data controller subject to EU’s General Data Protection Regulation (EU) 2016/679, EU GDPR (EU GDPR) to a data processor outside the EEA not subject to the EU GDPR. This clause includes practical guidance, drafting notes, and alternate clauses. Chapter V of the EU GDPR restricts transfers of personal data outside the EEA (or to certain international organisations) unless one of a limited number of appropriate transfer mechanisms is in place. SCCs are one of the mechanisms that may be used to help legitimise otherwise restricted international transfers under the EU GDPR. See Article 46(2)(c) of Regulation (EU) 2016/679, EU GDPR. These template SCCs may be used for international transfers outside the EEA from a controller to a processor. SCCs available under the EU GDPR SCCs that may be used to transfer personal data outside the EEA in compliance with Chapter V (Transfers of personal data to third countries or international organisations) of the EU GDPR are: • "Module one" of the 2021 EU SCCs for controller to controller transfers, see Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Controller to Controller) • "Module two" of the 2021 EU SCCs for controller to processor transfers, which this template is based on • "Module three" of the 2021 EU SCCs for processor to processor transfers, see Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Processor to Processor) • "Module four" of the 2021 EU SCCs for processor to controller transfers, see templates: Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Processor to Controller) (Processor Does Not Combine with Personal Data Collected by it in EEA) or Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Processor to Controller) (Processor Combines with Personal Data Collected by it in EEA) (as appropriate) Commission Decision (EU) 2021/914. Note that the SCCs that were available before 2021 (pre-2021 SCCs), have not been capable of inclusion in new contracts concluded after 26 September 2021, and those already relied on at that date could only continue to be used to provide appropriate safeguards for international transfers under the EU GDPR until 27 December 2022. Those pre-2021 SCCs consisted of: • Set I—controller to controller SCCs from Commission Decision 2001/497/EC (that set was rarely used as the 2004 set was usually preferred) • Set II—controller to controller SCCs from Commission Decision 2004/915/EC –and– • Set II—controller to processor SCCs from Commission Decision 2010/87/EU See Commission Decision (EU) 2021/914; Commission Decision 2001/497/EC; Commission Decision 2004/915/EC; and Commission Decision 2010/87/EU. Modifications to the SCCs Clause 2 of the 2021 EU SCCs states that organisations are permitted to: • Include the SCCs in a wider contract –and/or– • Add other clauses or additional safeguards provided the resulting arrangements do not contradict, directly or indirectly, the 2021 EU SCCs or prejudice the fundamental rights or freedoms of data subjects. Otherwise, the 2021 EU SCCs may not be modified if they are to be relied on as an appropriate safeguard, except to select the appropriate module(s) or to add or update information in the appendix. Practitioners have generally sought to enter into SCCs with little or no change (e.g., even avoiding making corrections to minor inconsistencies or typos). Minor modifications in this template as compared with the published 2021 EU SCCs In the absence of guidance to the contrary, this template includes some minor formatting changes to the 2021 EU SCCs, many of these are broadly in-line with the sorts of minor formatting changes made by a supervisory authority (specifically the UK Information Commissioner's Office (ICO) previously when making its template versions of the pre-2021 SCCs available for organisations via its own website. Examples of such changes include: • Certain sub-clause headings (e.g., (a), (i) etc.) and text indicating options are in bold for emphasis • Details of the exporter(s)/importer(s) in Part of Annex and of sub-processors in Annex have been put into boxes • Page numbers have been added • The original clause numbering included in the SCCs has been preserved. In order to accomplish this, it is assumed that any blank clauses (e.g., optionally clause in this template) will be indicated as '[Not used]' We will keep this approach under review and adapt it as appropriate based on future guidance. Limited guidance The Commission has published 'questions and answers' addressing certain aspects of the 2021 EU SCCs. See Commission—New standard contractual clauses: questions and answers. There is uncertainty regarding how a number of provisions and aspects of the 2021 EU's SCCs should be interpreted or applied in practice. It is hoped that the Commission will release further guidance (e.g., FAQs). These drafting notes will be supplemented with additional information based on such guidance and emerging market practice in due course. Whether one set of SCCs can include multiple modules These template clauses only includes provisions from module two. In its opinion on the draft SCCs, the EDPB noted that: It is not clear whether one set of the SCCs can include several modules in practice to address different situations, or whether this should amount to the signing of several sets of the SCCs. In order to achieve maximum readability and easiness in the practical application of the SCCs, the EDPB… suggest that the European Commission provides additional guidance (e.g. in the form of flowcharts, publication of Frequently Asked Questions (FAQs), etc.). In particular, it should be made clear that the combination of different modules in a single set of SCCs cannot lead to the blurring of roles and responsibilities among the parties. EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries. Clause 2 of the final SCCs added a reference to the parties being able to modify the Clauses to "select the appropriate Module(s)". However, Recital 10 of the Commission's Implementing Decision refers to single modules being selected and states that organisations should "select the module applicable to their situation". Guidance issued by the Commission states that where the parties have different roles (e.g., controller and processor) for direct data transfers they should use the appropriate module for each such transfer: For example, for some data transfers by a controller (data exporter), the data importer may act as a controller, whereas it may be a processor for others. In that case, the parties may use both Module 1 (for those transfers for which both the data exporter and data importer act as controllers) and Module 2 (for those transfers for which the data exporter acts as controller and the data importer as processor). Requirement to undertake a "transfer impact assessment" and ensure compliance with Schrems II All SCCs may only be used where it has been confirmed, based on a case-by-case assessment, that an appropriate level of protection is provided for the personal data in the circumstances (a "transfer impact assessment"). Execution of the SCCs Unlike the pre-2021 SCCs, the 2021 EU SCCs do not include specific template execution blocks (see, for example, after clause 12 of the 2010 controller to processor SCCs). The signature blocks in Annex may not meet the necessary formalities required under local law, depending on the local law and circumstances. Therefore, if the SCCs are to be executed separately, it is assumed that appropriate execution clauses must be included as appropriate depending on the nature of the parties and applicable law. Local law advice should be taken as appropriate. In practice, the 2021 EU SCCs are capable of inclusion in a wider contract (e.g. as a schedule or addendum that is appropriately incorporated into the executed agreement). It is perhaps more likely that organisations will choose to adopt that approach rather than separately executing the SCCs. Even if the 2021 EU SCCs are incorporated in a wider contract, it is assumed that the signature lines in Annex must still be signed and completed as appropriate. Relationship with the UK GDPR The United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR) regime (rather than the EU GDPR) is applicable under UK law from the end of the Brexit implementation period (11 pm on 31 December 2020). The UK GDPR is heavily derived from the EU GDPR and generally the terms and core concepts used in the UK GDPR have the same meaning as they do in the EU GDPR, although there are a number of key detailed differences between the two regimes including in respect of restrictions on international transfers. Chapter V of the UK GDPR restricts transfers of personal data outside the UK (or to certain "international organisations). These template clauses, and the 2021 EU SCCs, have no legal status under the UK GDPR and therefore cannot be used as an international transfer mechanism under the UK GDPR. For additional GDPR resources, see General Data Protection Regulation (GDPR) Overview Resource Kit. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy.