Controllers and processors subject to the GDPR, including those established outside the EEA,[1] may rely on the Standard Contractual Clauses (“SCCs”) issued by the European Commission.[2] [3]
The SCCs follow a modular approach to provide for a range of transfer scenarios. They contain four sets of clauses (modules) depending on the role of the data exporter and data importer as processor or controller:
- Module 1: Transfer from controller to controller(“C2C”),
- Module 2: Transfer from controller to processor (“C2P”),
- Module 3: Transfer from processor to processor (“P2P”),
- Module 4: Transfer from processor to controller (“P2C”).
The SCCs shall be signed before any transfer takes place. Of note is that the SCCs contain a docking clause that allows additional data exporters or importers to accede to the SCCs throughout the lifecycle of the contract (Clause 7 of the SCCs).
The SCCs assist data exporters and importers in complying with the requirement of a transfer impact assessment and the implementation of supplementary measures as set out in the Schrems II judgment.
Thus, section III (“Local laws and obligations in case of access by public authorities”) of the SCCs sets out that:
- the data exporter (with the assistance of the data importer) is obliged to take into account the level of protection in the third country in question, the specific circumstances of the transfer and any technical and organisational measures to put in place to supplement the SCCs, and
- the data importer has the obligation to notify the data exporter, if there are changes in the situation in the third country which create an inability to comply with the SCCs. In this case, the exporter must adopt appropriate measures to address the situation or must suspend the transfer.
Furthermore, the SCCs contain practical examples of technical supplementary measures, such as encryption.
[1] Subject to the GDPR by virtue of Article 3 of the GDPR.
[2] European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
[3] The SCCs were updated on 4 June 2021 and replace the previously applicable SCCs.