The new standard contractual clauses for data transfers to third countries (“Ex-EU SCCs“) and standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs“) issued by the European Commission provide for, both, chances and challenges for EU service providers supporting EU and non-EU customers, some of which are outlined below.
1. When do the Ex-EU SCCs apply?
EU service providers supporting non-EU customers might want to enter into the new Ex-EU SCCs with such customers. Therefore, one of the first questions that come to mind is when do the Ex-EU SCCs apply. This is, however, not fully clear. Recital 7 (emphasis added) of the Ex-EU SCCs states:
“(7) A controller or processor may use the standard contractual clauses set out in the Annex to this Decision to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to a processor or controller established in a third country, without prejudice to the interpretation of the notion of international transfer in Regulation (EU) 2016/679. The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as it takes place within the Union.“
Does the 2nd sentence of Recital 7 mean that a non-EU data importer, who is subject to the GDPR according to its Article 3 (2) does not need to sign any international data transfer vehicle (i.e., because of being covered by the GDPR including its Article 44 et seq. GDPR)? And, should the answer be “no”, what data transfer vehicle would need to be used? These questions currently remain unsolved and should be monitored very closely.
2. How should EU service providers supporting EU or non-EU customers use the respective SCCs?
The new Ex-EU SCCs offer more flexibility through a “modular approach”. With non-EU customers, EU service providers will be able to build a “processor-to-controller” data transfer agreement thanks to the new module “P2C” (further details in question 7 below), or even a “controller-to-controller” agreement. What is also interesting is that with the simultaneous publication of the Intra-EU SCCs, EU service providers were also provided with a new tool to comply with Article 28 (3) and (4) GDPR. For EU service providers who mainly provide services within the EU to EU customers, and who occasionally transfer personal data outside of the EU, for instance if they accept to provide services to a non-EU customer, we can wonder in practice which SCCs should be used. Recital 10 of the implementing decision of the Commission related to Intra-EU SCCs clarifies that the Intra-EU SCCs cannot be used as standard contractual clauses for the purpose of Chapter V GDPR. But does this mean that an EU service provider who wants to implement its new template following Schrems II must use in any case the Ex-EU SCCs? Is it possible to remove the part that relates to Article 28 from the Ex-EU SCCs to keep its own data processing agreement to govern the relationship data controller – data processor, and add the relevant parts of the SCCs in an Annex in case it is confirmed that there will be a transfer? Despite the effort and investment required, implementing two different templates to cover the cases of transfers and of non-transfers seems to be the best way to proceed.
3. May EU service providers supporting EU and non-EU customers continue to rely on their own data processing templates?
With adoption of the Intra-EU SCCs, the European Commission has provided for standard contractual clauses pursuant to Article 28 (7) GDPR that can be used by EU service providers when processing personal data on behalf of EU and non-EU customers. The Intra-EU SCCs are deemed to fulfil the requirements pursuant to Article 28 (3), (4) GDPR. Furthermore, the Ex-EU SCCs are now also deemed to fulfil the requirements for the engagement of (sub-) processors pursuant to Article 28 (3) and (4) GDPR if used without modification. I.e. where an EU service provider engages a sub-processor outside of the EU, or where an EU service provider processes personal data on behalf of a non-EU customer, and where the parties enter into the (respective Model of the) Ex-EU SCCs to provide for appropriate safeguards within the meaning of Article 46 GDPR, they do not, in addition, need to enter into a data (sub-) processing agreement to also fulfil the requirements of Article 28 (3), (4) GDPR.
Nevertheless, the parties remain free to fulfil the requirements pursuant to Article 28 (3), (4) GDPR also by entering into an individually negotiated data (sub-) processing agreement, instead of relying on the Intra-EU/Ex-EU SCCs for such purpose. This is expressly stated in Article 28 (6) GDPR. In such case, it has to be assessed on a case-by-case basis whether the individually negotiated data (sub-) processing agreement fulfils the requirements pursuant to Article 28 (3), (4) GDPR. However, if there is doubt in the future whether or not that is the case data protection authorities might compare the relevant individually negotiated provisions with the corresponding provisions in the Intra-EU/Ex-EU SCCs. In addition, where the parties enter into an individually negotiated data processing agreement and conclude the Ex-EU SCCs with respect to the transfer of data to a third country, it can be questioned whether this risks losing the adequacy protection awarded by the Ex-EU SCCs (see question 3).
4. If EU service providers conclude their own Article 28 contract, do they risk losing the adequacy protection for deviating from the SCCs?
The implementing decision of the European Commission related to the Ex-EU SCCs specifies that the SCCs can be used in whole or in part by the parties, who can include their own DPA. Pursuant to Article 46 (3) (a) GDPR, the authorization from the competent supervisory authority is required if the appropriate safeguards required for transfers in the absence of a decision pursuant to Article 45(3) are based on “contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization”, whereas pursuant to Article 46 (2) (c), the authorization from the competent authority is not required if “standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2)” are used. Therefore, this raises the question whether the use of an Article 28 contract which differs from the provisions of the Ex-EU SCCs will cancel the benefit of using standard clauses and require prior approval from the competent authority. Given the terms of Clause 2 (“Effect and Invariability of the Clauses”) of the Ex-EU SCCs, and in light of Recital 109 GDPR and Recital 3 of the implementing decision, it seems that to the extent the non-standard Article 28 contract does not contradict, directly or indirectly the SCCs or prejudice the fundamental rights or freedoms of data subjects, the Ex-EU SCCs keep their “standard” feature and hence do not lose their adequacy protection.
5. To what extent may EU service providers and their customers agree on limitations of liability in the commercial agreement?
The Ex-EU SCCs allow the parties to include them in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the Ex-EU SCCs or prejudice the fundamental rights or freedoms of data subjects. This leads to the question whether/in which cases limitations of liability might be seen to contradict the standard contractual clauses. On the one hand, the wider contract mentioned above typically also includes a limitation of liability. Also, the Ex-EU SCCs do not state that each party’s liability vis-à-vis the other party shall be unlimited. This argues in favor of the possibility to agree on a market-standard limitation of liability in the wider contract, as long as the limitation of liability does not affect the rights of the data subjects. On the other hand, the Ex-EU SCCs state that “Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.” Therefore, it could be questioned whether the exclusion of certain types of damages constitutes a contradiction from the aforementioned provision because in such case a party would not be liable for “any” (type of) damage. In addition, it is questionable whether otherwise extremely far-reaching limitations of liability could be seen as a contradiction. This is because if a limitation of liability effectively leads to an exclusion of a party’s liability, such party might be discouraged from complying with the Ex-EU SCCs.
The Intra-EU SCCs also allow the parties to include them in a broader contract, or to add other clauses or additional safeguards provided that they do not directly or indirectly contradict the Intra-EU SCCs or detract from the fundamental rights or freedoms of data subjects. However, the Intra-EU SCCs do not contain provisions on liability. Thus, including a limitation of liability in the broader contract is less likely to be seen a contradiction of the Intra-EU SCCs. Nevertheless, any limitation of liability should remain such that it does not discourage a party from complying with the Intra-EU SCCs.
6. Which conditions apply to the engagement of sub-processors?
One of the main missions of the Ex-EU SCCs is to ensure that the level of protection of the transferred personal data is essentially equivalent to that guaranteed within the EU. For this reason onward transfers by the data importer to a third party in another third country is allowed only if the third party accedes to the Ex-EU SCCs, or, if the continuity of protection is ensured otherwise. The international transfer may also be allowed in specific situations, such as on the basis of the explicit, informed consent of the data subject.
The use of sub-processors might be allowed based either on the specific prior authorization of the data exporter, or on general authorization; both types of authorization must be in written form. The parties may agree on the time period within which the data importer must submit its request, together with all necessary information for the data exporter’s decision, for specific authorization to the data exporter. The list of authorized sub-processors must be set out in an Annex of the Ex-EU SCCs and the parties must keep such Annex up to date during their relationship. In case of general authorization the parties must agree on the list of approved sub-processors, that is a new requirement provided by the Ex-EU SCCs. The list of approved sub processors is maintained by the data importer, who must inform the data exporter sufficiently in advance to allow the data exporter to object to such changes.
The contract with the sub-processor must contain the same data protection obligations as those binding the data importer, and the data importer must ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to the Ex-EU SCCs.
7. What applies with respect to audits under the new SCCs?
The Ex-EU SCCs’ Modules 2 (Controller-to-Processor), 3 (Processor-to-Processor) and also 4 (Processor-to-Controller) all include a certain right to conduct audits. For Modules 2 and 3 this includes an obligation of the data importer to provide “all information necessary to demonstrate compliance with the obligations set out in” the Ex-EU SCCs and at the data exporter’s request “allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance” while the data exporter may “take into account relevant certifications held by the data importer”. Module 4 (which would be more relevant for EU service providers supporting non-EU customers) at least contains the obligation of the data exporter to “make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.” The Intra-EU SCCs contains an obligation more or less identical to Modules 2 and 3 of the Ex-EU SCCs.
The clauses remain silent with respect to the cost allocation of audits (as did the old Ex-EU SCCs). Given that with respect to the Ex-EU SCCs there is the option to add other clauses or additional safeguards (e.g., in a broader contract) provided that they do not directly or indirectly contradict the Ex-EU SCCs, one could argue that cost allocation rules can be agreed upon as such do at least not directly contradict the Ex-EU SCCs (the same applies mutatis mutandis for the Intra-EU SCCs). However, it should be considered that guidance exist that questions arrangements where the controller / data exporter needs to bear the audit costs, as this may indirectly prevent such audits to be conducted. The situation should be monitored very closely in this context.
Similar applies to the well-known practice to have a leveled approach with respect to audits, namely:
- Step 1: Audits are conducted on the basis of certificates, third party audit reports and other documentation (paper-based audit)
and only to the extent such is not satisfying or given specific circumstances or in case specifically demanded by law in
- Step 2 an onsite-audit is conducted.
One could argue though that this is not a new issue as also the old Ex-EU SCCs (see Clause 5 (f)) included a similar obligation as is contained in the new Ex-EU SCCs and Intra-EU SCCs and it was quite common practice to agree on the aforementioned leveled approach. It remains to be seen whether the new SCCs may again fuel this discussion. It goes without saying that both the controller/data exporter and the processor/data importer have a great (and in most cases very mutual) interest in agreeing on such a leveled approach to keep such audits manageable and appropriate.
8. Questions raised by the P2C Module
Given the wording of Art. 44 et. seqq. GDPR it is clear that an EU processor (or processor falling under the applicability of GDPR) needs to adhere to the international data transfer requirements of the GDPR and, hence, needs to implement appropriate safeguards in case data processed for a non-EU controller is transferred internationally. Until the new Ex-EU SCCs no such transfer mechanism was available. With the new Ex-EU SCCs and its Module 4 (Processor-to-Controller) such mechanism exists and allows EU processors to close this gap. It remains to be seen though how “easy” such clauses can be implemented with non-EU customers and whether the underlying requirement and the clauses themselves provide for a competitive disadvantage compared to non-EU service providers. In this context it needs to be taken into account that Module 4 of the Ex-EU SCCs contains quite a set of obligations for the non-EU customer (this includes inter alia an obligation to refrain from any action that would prevent the data exporter from fulfilling its obligations under the GDPR, the necessity to implement appropriate technical and organizational measures to ensure the security of the data, and a (mutual) obligation to assist each other in responding to enquiries and requests made by data subjects).
9. Is the implementation period long enough?
Both the Intra-EU SCCs and Ex-EU SCCs are effective as of 27 June 2021. However, the controllers and processors must use the Ex-EU SCCs as of 27 September 2021 in case they implement new business procedures that involve international transfer of personal data, or would modify the data processing operations that are the subject matter of the currently used contracts. Also, the parties must not rely on their existing contracts that are based on the now repealed SCCs, if such contracts do not ensure appropriate safeguards to the international transfers.
The three-months interim period that is available for controllers and processors to prepare the necessary contractual documentation and implement the necessary technical and organizational measures might be too tight. The adoption of the new measures and set the proper contractual arrangements are usually complex tasks, and would require to assess the whole supply chain, including all sub-processors that are affected and the risks the data transfer creates. What further complicates issues is that two out of available three months fall within in the holiday high season, during which the business and decision making procedures might slow down at the companies.