New draft standard contractual clauses – c2p transfers

On 12 November 2020, the European Commission published draft new EU Standard Contractual Clauses (New SCCs) for consultation. The consultation period closes on 10 December 2020.

When the New SCCs are in force they will repeal the current SCCs (both the 2001 and 2004 C2C SCCs and the 2010 C2P SCCs) (Existing SCCs). The New SCCs take account of, and work, with the Schrems II judgment.

When the consultation period closes, the European Commission will release their final versions. There will then be a one year sunset period for parties to put the New SCCs in place. During this sunset period, transfers can continue to be made on the basis of the Existing SCCs, unless those contracts are changed. If the contracts are changed, then the parties lose the benefit of the sunset provision and must move to the New SCCs. If the parties change existing contracts in order to introduce additional safeguards (as required by Schrems II and the EDPB Recommendation) then they can still benefit from the sunset period.

Businesses should not underestimate the significant effort that will be required to implement the New SCCs. This is because of the requirements associated with:

  • documenting transfer impact assessments;
  • providing enhanced information to data subjects; and
  • flowing-down the same terms to third parties/sub-processors if there are onward transfers. 

Until there is an adequacy decision from the European Commission in relation to the UK, the New SCCs are likely to be the transfer mechanism that UK businesses will need to accept if they want to receive personal data from the EEA from 1 January 2021.

For the purposes of Brexit, the UK has ratified the Existing SCCs into UK law for use from 1 January 2021 where UK businesses are transferring personal data outside the UK to a country where there is no adequacy decision (adequacy has been given to countries within the EEA as well as Gibraltar, Andorra, Argentina, Canada (only personal data that is subject to PIPEDA), Guernsey, Isle of Man, Israel, Japan (transfers to private sector businesses only), Jersey, New Zealand, Switzerland and Uruguay). There is no decision yet on whether the ICO intends to ratify the New SCCs once they are in final form.

Of course, there could be changes to the New SCCs as a result of the public consultation but it is doubtful that they will change significantly. What then are the likely obligations on companies where one is a controller and the other is a processor?

Key: DE = Data exporter / DI = Data importer / DS = Data Subjects / SA = Supervisory Authority(ies)

Purpose and scope  

* SCCs are designed to set “appropriate safeguards”.DS have rights to enforce certain provisions directly against DE/DI.
* GDPR definitions apply.
* SCCs prevail in event of conflict with terms of main agreement (It is arguable that because the SCCs contain comprehensive data protection terms, that in some instances go further than Article 28, there will inevitably be some conflict with certain commercially-agreed data protection terms).
* Additional provisions can be agreed provided they don’t contradict, directly or indirectly, the SCCs or prejudice fundamental rights and freedoms of DS.
*Optional accession mechanism where other parties can accede to SCCs.
Clause 1: Data Protection Safeguards  
DE warranty that is has used reasonable efforts to determine DI can comply with its obligations under SCCs.  
Instructions: DI only process personal data on documented instructions of DE (which may be given throughout duration of SCCs) and DI must immediately inform DE if it cannot comply with instructions.  
Purpose: DI to only process on basis of Annex I.B.  
Transparency: DI/DE to provide copy of SCCs to DS upon request (certain redactions permitted).
Accuracy: Obligation to notify other party if becomes aware data is inaccurate (without undue delay). DI to cooperate with DE to erase or rectify data.  
Storage Limitation and erasure or return of data: Two options for DI: delete at end of contract and certify or return all copies and delete existing copies. No retention after end of contract even if local laws prohibition return/deletion unless DI can guarantee (i) same level of protection afforded in the SCCs to retain data; and (ii) to only process to extent and for as long as local law requires. (The latter shows some limited tolerance for DI’s who are subject to conflicting local law requirements).  
Security of Processing:

* Security obligations – DE during transmission, and DI throughout processing with regular checks to ensure measures provide appropriate level of security. If pseudonymisation is used additional info for attributing the data to a specific DS shall where possible remain under the exclusive control of DE.
* DI to implement technical and organisational measures set out in Annex II.
* DI to grant access to data to personnel only to extent strictly necessary for implementation, management and monitoring.
* DI to ensure personnel under confidentiality obligation.
* Data breach notification obligations as per GDPR.  
Special categories of Personal Data: DI to apply specific restrictions and/or additional safeguards (no examples given like C2C).  
Onward Transfers: DI can only disclose data to a third party on basis of documented instructions from DE. Furthermore, data can only be transferred to a third party outside EEA if third party:
* agrees to be bound by SCCs; or
* otherwise ensures other adequate safeguards per Articles 46 or 47.  
Documentation and Compliance: DE/DI must be able to demonstrate compliance with SCCs. DI must also:
* promptly and properly deal with inquiries from DE relating to processing under SCCs; * keep appropriate documentation on its processing activities on behalf of DE, make such info available to DE and allow for/contribute to audits by DE or rely on independent audit organised by DI and at its cost (to include premises audit) (this ability for a DE to rely on an independent audit (albeit mandated by the DI) is a positive step. However the impracticalities of this direct interaction between sub-processors and ultimate controllers assumes that sub-processors will know who the ultimate controllers are – which, in many cases, they won’t);
* promptly and properly deal with inquiries from DE that relate to its processing under the SCCs; and
* make audit results and info available to SA upon request.    
Clause 2: Local laws affecting compliance with clauses  

As a result of the impact of Schrems II, both parties warrant that they have no reason to believe laws in a third country (including relating to access by public authorities) would prevent DI from fulfilling its obligations. Carve out for laws that respect the essence of fundamental rights & freedoms and don’t exceed what is necessary & proportionate to safeguard one of the objectives in Article 23(1) GDPR (namely measures to restrict scope of GDPR in certain areas e.g., national or public security, and prevention, investigation, detection and prosecution of criminal offences). In giving warranties, parties declare that they have taking due account of:
* circumstances of the transfer (i.e. content and duration of contract, scale and regularity of transfers, length of processing chain, the number of actors involved and transmission channels used, type of recipient, purpose of processing, nature of personal data transferred and any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by DI for the type of data transferred);
* relevant laws of third country including those requiring to disclose data to public authorities or authorising access by such authorities, as well as the applicable limitations and safeguards;
* any safeguards in addition to SCCs, including technical and organisational measures applied during transmission and in country of destination.  

Parties to document assessment and make available to SA on request.  

DI warrants that:
* in carrying out the above investigation it has made best efforts to provide DE with relevant information for assessment and will continue to co-operate in ensuring compliance with SCCs; and
* to immediately notify DE if it has reason to believe that it is or has become subject to laws that are not in line with above obligations, including as a result of change in law.  

If DE receives a notice from DE, or otherwise has reason to believe DI can no longer comply with its obligations in the SCCs, DE must promptly identify appropriate measures (including technical and organisational) which must be adopted by it and/or DI to address the situation (if appropriate in consultation with the SA). If DE is a processor this must also be in consultation with the controller and SA. If DE concludes that it: 
* can implement appropriate safeguarding measures and will continue to transfer on this basis, it must notify SA, along with applicable documentation; or
* cannot provide additional safeguards, must cease transfer. DE must notify SA and will be entitled to terminate the contract (This obligation on the DE to “shop” a non-compliant DI is alarming, and may well prevent DI’s from notifying DEs).  

(There is no allowance for low-risk or SME transfers.)  
Clause 3: Obligations on DI in case of government access requests  

As a result of the impact from Schrems II, DI must:
* notify DE and DS (where possible and if necessary with DE’s help), if it receives a legally binding request for disclosure of personal data by a public authority in a third country (certain info must be included in the notice), or if it becomes aware of direct access by public authorities in a third country to personal data transferred pursuant to the SCCs (notice to contain all info available to DI). If local law prohibits notification, DI must use best efforts to obtain a waiver of the prohibition and to communicate as much as possible (DI to document this so it can demonstrate to DE upon request). If local law prohibits notification, DI must use best efforts to obtain a waiver of the prohibition and to communicate as much as possible (DI to document this so it can demonstrate to DE upon request);
* to extent permissible under local law of the third country, provide DE, at regular intervals, the greatest possible amount of relevant info on requests received (e.g. no. of requests, types of data requested, requesting authority, and what requests have been challenged and outcome) (this shows some limited tolerance for DI’s who are subject to conflicting local law requirements);
* preserve the above info and make it available to SA upon request;
* assess the legality of requests it receives and to all exhaust all available remedies to challenge requests (this could be very expensive). Interim measures to be sought to suspend effects of the request until court has decided on the merits. No disclosure of personal data until required to do so under applicable procedural rules and then only minimum amount of info permissible in response to a request; and
* document its legal assessment and any challenge. To extent permissible under third country law, such to be made available to DE and to SA upon request.  

(There is no allowance for low-risk or SME transfers.)  
Clause 4: Use of sub-processors  

Restrictions on sub-contracting without authority of DE with two options in line with Article 28(2) (i.e., specific or general written authorisation) and 28(4) (i.e., written contract and flow-downs). Sufficient notice must be given to allow DE to object. Sub-processors to be listed in Annex III.  

DI to:
* ensure that sub-processor complies with obligations to which DI is subject pursuant to SCCs;
* provide copy of sub-processor agreement (and amendments) upon DE’s request;
* remain responsible for acts of sub-processor; and
* include third party beneficiary clause in sub-processor contracts whereby DE is third party beneficiary to contract in event of bankruptcy of DI (including right to instruct sub-processor to erase or return of data).  
Clause 5: DS rights  

Obligation on DI to:
* promptly notify DE of any DS inquiries or requests it receives; not respond to DS inquiries or requests itself unless or until authorised by DE; and
* assist DE as per Article 28.  
Clause 6: Redress  

DI to inform DS of contact point for complaints (either by direct notice or website) and handle DS complaints or requests promptly. Optional provision for DI to agree that complaints can be lodged with independent dispute resolution body at no cost to DS – but DS isn’t required to make use of such.  

In addition:
* if there is a dispute with a DS and one of the parties, they must keep each other informed and (where appropriate) co-operate with each other in a timely manner to resolve the complaint;
* if dispute isn’t resolved and DS invokes third party beneficiary rights, DI accepts decision of DS either to complain to a SA or to refer the dispute to the competent courts;
* agreement of the parties that DS can be represented by a not-for-profit body (as per Article 80); and
* DI agrees to abide by decision binding under EU/Member State law.  
Clause 7: Liability  

Each party is liable to the other party for material and non-material damages caused by its breach of the SCCs. Liability is limited to actual damage suffered (punitive damages excluded).  

DI is liable to DS’s for material and non-material damage it causes DS for any breach of the clauses which the DS’s are entitled to enforce under the SCCs (as per Clause 1).   

DE is liable to DS’s for material and non-material damage it or DI causes DS for any breach of the clauses which the DS’s are entitled to enforce under the SCCs (as per Clause 1). This is without prejudice to DE’s liability and, where the DE is a processor acting on behalf of a controller, the controller under the GDPR.  

If more than one party is responsible for damage, then parties are jointly and severally liable to DS. DI cannot invoke the conduct of a sub-processor to avoid its own liability.  

(It will be important to ensure that commercially-agreed limitations of liability provisions complement these terms and do not conflict with them.)  
Clause 8: Indemnity

If one party is held jointly and severally liable for a breach of the SCCs together with another party, it is entitled to claim back (as an indemnity) that part of the liability that corresponds to the party’s part of responsibility. Indemnification is contingent upon the party being indemnified to (i) give prompt notification to the other party to the claim and (i) provide reasonable co-operation and assistance to the other party in defence of such claim.  
Clause 9: Supervision  

The competent SA will be:
* the SA which is competent in relation to the DE (it must be named); or
* if the DE is not established in a Member State, but the GDPR apply by virtue of Article 3(2), then the SA of the Member State where DS’s are located shall be the competent SA (and must be named – there could be multiple but the drafting doesn’t cater for such).  

DI agrees to submit to jurisdiction of competent SA and to respond to inquiries, submit to audits by and comply with measures adopted by the SA, including remedial and compensatory measures.  
Clause 1: Non-compliance with SCCs and termination) – DI to promptly inform DE if unable to comply with SCCs. If DI is in breach or unable to comply, DE must suspend transfer until compliance is ensured or the contract is terminated. DE is entitled to terminate “the contract” if:
* DE has suspended transfer to DI and compliance is not restored within a reasonable time and in any event within one month;
* DI is in substantial or persistent breach of the SCCs; or
* DI fails to comply with a binding decision of court or competent SA. DE must inform competent SA of any non-compliance.
In the event of termination, data is to be deleted or returned. If DI has to keep data to meet third country laws, it must continue to ensure protection for the data and only process it for so long as required under those local laws.  

SCCs can be revoked if an adequacy decision is adopted or if GDPR becomes part of the legal framework of the third country.  

Clause 2: Governing law – SCCs are governed by law of one of the EU Member States, provided such law allows for third party beneficiary rights. Governing law to be specified. Parties may select the latter or opt for SCCs to be governed by law of the Member State where the DE is established, provided this allows for third party beneficiary rights. This means that the SCCs don’t require the DE to be established in the EEA which means non-EEA entities can also sign the SCCs as DE.  

Clause 3: Forum and jurisdiction – Disputes arising from the SCCs are to be resolved by courts of an EU Member State (which must be specified). DS may also bring proceedings against DE and/or DI in courts of Member State where the DS has his/ her habitual residence.  
Annex 1.A – List of Parties Annex I.B – Description of transfer
Annex II – Technical and organisational measures (includes a list of the types of security controls that might be in place)
Annex III – List of Sub processors  

If you would like any advice regarding the Existing SCCs or New SCCs, please contact us.

Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.