New Draft Standard Contractual Clauses – P2C transfers

On 12 November 2020, the European Commission published draft new EU Standard Contractual Clauses (New SCCs) for consultation. The consultation period closes on 10 December 2020.

When the New SCCs are in force they will repeal the current SCCs (both the 2001 and 2004 C2C SCCs and the 2010 C2P SCCs) (Existing SCCs). The New SCCs take account of, and work, with the Schrems II judgment.

When the consultation period closes, the European Commission will release their final versions. There will then be a one year sunset period for parties to put the New SCCs in place. During this sunset period, transfers can continue to be made on the basis of the Existing SCCs, unless those contracts are changed. If the contracts are changed, then the parties lose the benefit of the sunset provision and must move to the New SCCs. If the parties change existing contracts in order to introduce additional safeguards (as required by Schrems II and the EDPB Recommendation) then they can still benefit from the sunset period.

Businesses should not underestimate the significant effort that will be required to implement the New SCCs. This is because of the requirements associated with:

  • documenting transfer impact assessments;
  • providing enhanced information to data subjects; and
  • flowing-down the same terms to third parties/sub-processors if there are onward transfers. 

Until there is an adequacy decision from the European Commission in relation to the UK, the New SCCs are likely to be the transfer mechanism that UK businesses will need to accept if they want to receive personal data from the EEA from 1 January 2021.

For the purposes of Brexit, the UK has ratified the Existing SCCs into UK law for use from 1 January 2021 where UK businesses are transferring personal data outside the UK to a country where there is no adequacy decision (adequacy has been given to countries within the EEA as well as Gibraltar, Andorra, Argentina, Canada (only personal data that is subject to PIPEDA), Guernsey, Isle of Man, Israel, Japan (transfers to private sector businesses only), Jersey, New Zealand, Switzerland and Uruguay). There is no decision yet on whether the ICO intends to ratify the New SCCs once they are in final form.

Of course, there could be changes to the New SCCs as a result of the public consultation but it is doubtful that they will change significantly. What then are the likely obligations on companies when a processor transfers personal data back to a controller?

Key: DE = Data exporter (Processor) / DI = Data importer (Controller) / DS = Data Subjects / SA = Supervisory Authority(ies)

Purpose and scope  

* SCCs are designed to set “appropriate safeguards”.
* DS have rights to enforce certain provisions directly against DE/DI.
* GDPR definitions apply.
* SCCs prevail in event of conflict with terms of main agreement (It is arguable that because the SCCs contain comprehensive data protection terms, that in some instances go further than Article 28, there will inevitably be some conflict with certain commercially-agreed data protection terms).
* Additional provisions can be agreed provided they don’t contradict, directly or indirectly, the SCCs or prejudice fundamental rights and freedoms of DS.
* Optional accession mechanism where other parties can accede to SCCs.
Clause 1: Data Protection Safeguards  
DE warranty that is has used reasonable efforts to determine DI can comply with its obligations under SCCs.  
Instructions: DE only process personal data on documented instructions of DI acting as its controller and DE must immediately inform DI if it cannot comply with instructions. DI to refrain from any action that would prevent DE from fulfilling its obligations under the GDPR.  
Security of Processing: Parties to ensure security of processing including during transmission.  
Documentation and Compliance: DE/DI must be able to demonstrate compliance with SCCs.  
Clause 2: Local laws affecting compliance with clauses  

Note: This is only applicable if an EU processor combines personal data received from the third country (non-EEA controller with personal data collected by a processor in the EU.  Therefore, not applicable if the EU processor merely processes EU data received from controller.  The intent of this “light touch” approach is to help avoid putting EEA processors at a commercial disadvantage to non-EEA processors when touting for business from non-EEA controllers.  

As a result of the impact of Schrems II, both parties warrant that they have no reason to believe laws in a third country (including relating to access by public authorities) would prevent DI from fulfilling its obligations. Carve out for laws that respect the essence of fundamental rights & freedoms and don’t exceed what is necessary & proportionate to safeguard one of the objectives in Article 23(1) GDPR (namely measures to restrict scope of GDPR in certain areas e.g., national or public security, and prevention, investigation, detection and prosecution of criminal offences). In giving warranties, parties declare that they have taking due account of:
* circumstances of the transfer (i.e. content and duration of contract, scale and regularity of transfers, length of processing chain, the number of actors involved and transmission channels used, type of recipient, purpose of processing, nature of personal data transferred and any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by DI for the type of data transferred);
* relevant laws of third country including those requiring to disclose data to public authorities or authorising access by such authorities, as well as the applicable limitations and safeguards;
* any safeguards in addition to SCCs, including technical and organisational measures applied during transmission and in country of destination.  

Parties to document assessment and make available to SA on request.  

DI warrants that:
* in carrying out the above investigation it has made best efforts to provide DE with relevant information for assessment and will continue to co-operate in ensuring compliance with SCCs; and
* to immediately notify DE if it has reason to believe that it is or has become subject to laws that are not in line with above obligations, including as a result of change in law.  

If DE receives a notice from DI, or otherwise has reason to believe DI can no longer comply with its obligations in the SCCs, DE must promptly identify appropriate measures (including technical and organisational) which must be adopted by it and/or DI to address the situation (if appropriate in consultation with the SA). This must also be in consultation with the controller and SA. If DE concludes that it: 
* can implement appropriate safeguarding measures and will continue to transfer on this basis, it must notify SA, along with applicable documentation; or
* cannot provide additional safeguards, must cease transfer. If DI is sub-processor, it must suspend transfer if controller instructs it to do so. DE must notify the SA and will be entitled to terminate the contract (This obligation on the DE to “shop” a non-compliant DI is alarming, and may well prevent DI’s from notifying DEs).  

(There is no allowance for low-risk or SME transfers.)  
Clause 3: Obligations on DI in case of government access requests  

Note: This is only applicable if processor combines personal data received from the third country controller with personal data collected by a processor in the EU. Therefore, not applicable if the processor merely processes data received from controller.  

As a result of the impact from Schrems II, DI must:
* notify DE and DS (where possible and if necessary with DE’s help), if it receives a legally binding request for disclosure of personal data by a public authority in a third country (certain info must be included in the notice), or if it becomes aware of direct access by public authorities in a third country to personal data transferred pursuant to the SCCs (notice to contain all info available to DI). If local law prohibits notification, DI must use best efforts to obtain a waiver of the prohibition and to communicate as much as possible (DI to document this so it can demonstrate to DE upon request). If local law prohibits notification, DI must use best efforts to obtain a waiver of the prohibition and to communicate as much as possible (DI to document this so it can demonstrate to DE upon request);
* to extent permissible under local law of the third country, provide DE, at regular intervals, the greatest possible amount of relevant info on requests received (e.g. no. of requests, types of data requested, requesting authority, and what requests have been challenged and outcome) (this shows some limited tolerance for DI’s who are subject to conflicting local law requirements);
* preserve the above info and make it available to SA upon request;
* assess the legality of requests it receives and to all exhaust all available remedies to challenge requests (this could be very expensive). Interim measures to be sought to suspend effects of the request until court has decided on the merits. No disclosure of personal data until required to do so under applicable procedural rules and then only minimum amount of info permissible in response to a request; and
* document its legal assessment and any challenge. To extent permissible under third country law, such to be made available to DE and to SA upon request.  

(There is no allowance for low-risk or SME transfers.)  
Clause 4: Use of sub-processors N/A  
Clause 5: DS rights  

Parties to assist each other in responding to DS inquiries and requests under laws applicable to DI or, for processing by the DE in the EU, under the GDPR.  
Clause 6: Redress  

DI to inform DS of contact point for complaints (either by direct notice or website) and handle DS complaints or requests promptly. Optional provision for DI to agree that complaints can be lodged with independent dispute resolution body at no cost to DS – but DS isn’t required to make use of such.  

In addition:
* if there is a dispute with a DS and one of the parties, they must keep each other informed and (where appropriate) co-operate with each other in a timely manner to resolve the complaint;
* if dispute isn’t resolved and DS invokes third party beneficiary rights, DI accepts decision of DS either to complain to a SA or to refer the dispute to the competent courts;
* agreement of the parties that DS can be represented by a not-for-profit body (as per Article 80); and
* DI agrees to abide by decision binding under EU/Member State law.  
Clause 7: Liability  

Each party shall be liable:
* to the other party for material and non-material damages caused by its breach of the SCCs. Liability is limited to actual damage suffered (punitive damages excluded); and
* to DS’s for material and non-material damage it causes DS for any breach of the clauses which the DS’s are entitled to enforce under the SCCs (as per Clause 1).   

If more than one party is responsible for damage, then parties are jointly and severally liable to DS. DI cannot invoke the conduct of a sub-processor to avoid its own liability.  

(It will be important to ensure that commercially-agreed limitations of liability provisions complement these terms and do not conflict with them.)  
Clause 8: Indemnity

If one party is held jointly and severally liable for a breach of the SCCs together with another party, it is entitled to claim back (as an indemnity) that part of the liability that corresponds to the party’s part of responsibility. Indemnification is contingent upon the party being indemnified to (i) give prompt notification to the other party to the claim and (i) provide reasonable co-operation and assistance to the other party in defence of such claim.  
Clause 9: Supervision  

The competent SA will be:

* the SA which is competent in relation to the DE (it must be named); or
* if the DE is not established in a Member State, but the GDPR apply by virtue of Article 3(2), then the SA of the Member State where DS’s are located shall be the competent SA (and must be named – there could be multiple but the drafting doesn’t cater for such).  

DI agrees to submit to jurisdiction of competent SA and to respond to inquiries, submit to audits by and comply with measures adopted by the SA, including remedial and compensatory measures.  
Clause 1: Non-compliance with SCCs and termination) – DI to promptly inform DE if unable to comply with SCCs. If DI is in breach or unable to comply, DE must suspend transfer until compliance is ensured or the contract is terminated. DE is entitled to terminate “the contract” if:
* DE has suspended transfer to DI and compliance is not restored within a reasonable time and in any event within one month;
* DI is in substantial or persistent breach of the SCCs; or
* DI fails to comply with a binding decision of court or competent SA. DE must inform competent SA of any non-compliance.

In the event of termination, data is to be deleted or returned. If DI has to keep data to meet third country laws, it must continue to ensure protection for the data and only process it for so long as required under those local laws.  

SCCs can be revoked if an adequacy decision is adopted or if GDPR becomes part of the legal framework of the third country.  

Clause 2: Governing law – SCCs are governed by law of one of the EU Member States, provided such law allows for third party beneficiary rights. Governing law to be specified.  

Clause 3: Forum and jurisdiction – Disputes arising from the SCCs are to be resolved by courts of an EU Member State (which must be specified). DS may also bring proceedings against DE and/or DI in courts of Member State where the DS has his/ her habitual residence.  
Annex 1.A – List of Parties
Annex I.B – Description of transfer
Annex II – Technical and organisational measures (includes a list of the types of security controls that might be in place)
Annex III – List of Sub processors  

If you would like any advice regarding the Existing SCCs or New SCCs, please contact us.

Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.