On 4 June 2021, the European Commission published new standard contractual clauses, which need to be concluded when personal data are transferred to third countries that do not have adequate protection of personal data. The new clauses take into account the 2020 judgement of the Court of Justice of the EU (Schrems II), which annulled the Privacy Shield mechanism for data transfer to third countries.
Namely, after the Schrems II judgment, most controllers and executors continued to rely on existing standard contractual clauses as a safeguard for the transfer of personal data to third countries, i.e. countries that are not declared by the European Commission as countries with adequate protection of personal data. However, although the Court of Justice of the European Union did not annul the existing standard contractual clauses by the Schrems II judgment, it emphasized that the data exporter must assess the laws and the level of personal data protection of the country to which personal data are exported. In other words, concluding existing standard contractual clauses is not enough.
In this regard, the European Commission has adopted new standard contractual clauses, which take into account the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, the feedback during the public consultation and the opinion of the representatives of the EU Member States. The decision of the European Commission and the new standard contractual clause can be found at the following link: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
Compared to the previous version of the standard contractual clauses, the new standard contractual clauses are fully in line with the terms of the General Data Protection Regulation (“GDPR”), they provide for a wide range of possible transfer circumstances and greater flexibility for complex process chains, through a “modular approach”, offering the possibility for more than two parties to join and use the clauses.
In addition, the new clauses provide a practical set of tools to comply with the Schrems II judgment, thus providing an overview of the various steps that data controllers and data processors must take to comply with the Schrems II judgment, giving examples of possible “complementary measures” such as encryption.
The new standard contractual clauses include several modules: transfer from the data controller to the data controller, transfer from the data controller to the data processor, transfer from the data processor to the data processor and transfer from the data processor to the data controller.
Annex II of the new standard clauses contains a detailed description of technical and organizational measures including, inter alia, measures for identification, storage, transmission, configuration, management and storage of data, while Annex III contains a list of subcontractors.
For data controllers and data processors who are currently using previous sets of standard contractual clauses, a transitional period of 18 months is provided in which the old standard contractual clauses must be replaced by new standard contractual clauses.