Consideration for EU Service Providers Supporting EU and Non-EU Customers

The new standard contractual clauses for data transfers to third countries (“Ex-EU SCCs“) and standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs“) issued by the European Commission provide for, both, chances and challenges for EU service providers supporting EU and non-EU customers, some of which are outlined below.

1. When do the Ex-EU SCCs apply?

EU service providers supporting non-EU customers might want to enter into the new Ex-EU SCCs with such customers. Therefore, one of the first questions that come to mind is when do the Ex-EU SCCs apply. This is, however, not fully clear. Recital 7 (emphasis added) of the Ex-EU SCCs states:

“(7) A controller or processor may use the standard contractual clauses set out in the Annex to this Decision to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to a processor or controller established in a third country, without prejudice to the interpretation of the notion of international transfer in Regulation (EU) 2016/679. The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as it takes place within the Union.“

Does the 2nd sentence of Recital 7 mean that a non-EU data importer, who is subject to the GDPR according to its Article 3 (2) does not need to sign any international data transfer vehicle (i.e., because of being covered by the GDPR including its Article 44 et seq. GDPR)? And, should the answer be “no”, what data transfer vehicle would need to be used? These questions currently remain unsolved and should be monitored very closely.

2. How should EU service providers supporting EU or non-EU customers use the respective SCCs?

The new Ex-EU SCCs offer more flexibility through a “modular approach”. With non-EU customers, EU service providers will be able to build a “processor-to-controller” data transfer agreement thanks to the new module “P2C” (further details in question 7 below), or even a “controller-to-controller” agreement. What is also interesting is that with the simultaneous publication of the Intra-EU SCCs, EU service providers were also provided with a new tool to comply with Article 28 (3) and (4) GDPR. For EU service providers who mainly provide services within the EU to EU customers, and who occasionally transfer personal data outside of the EU, for instance if they accept to provide services to a non-EU customer, we can wonder in practice which SCCs should be used. Recital 10 of the implementing decision of the Commission related to Intra-EU SCCs clarifies that the Intra-EU SCCs cannot be used as standard contractual clauses for the purpose of Chapter V GDPR. But does this mean that an EU service provider who wants to implement its new template following Schrems II must use in any case the Ex-EU SCCs? Is it possible to remove the part that relates to Article 28 from the Ex-EU SCCs to keep its own data processing agreement to govern the relationship data controller – data processor, and add the relevant parts of the SCCs in an Annex in case it is confirmed that there will be a transfer? Despite the effort and investment required, implementing two different templates to cover the cases of transfers and of non-transfers seems to be the best way to proceed.

3. May EU service providers supporting EU and non-EU customers continue to rely on their own data processing templates?

With adoption of the Intra-EU SCCs, the European Commission has provided for standard contractual clauses pursuant to Article 28 (7) GDPR that can be used by EU service providers when processing personal data on behalf of EU and non-EU customers. The Intra-EU SCCs are deemed to fulfil the requirements pursuant to Article 28 (3), (4) GDPR. Furthermore, the Ex-EU SCCs are now also deemed to fulfil the requirements for the engagement of (sub-) processors pursuant to Article 28 (3) and (4) GDPR if used without modification. I.e. where an EU service provider engages a sub-processor outside of the EU, or where an EU service provider processes personal data on behalf of a non-EU customer, and where the parties enter into the (respective Model of the) Ex-EU SCCs to provide for appropriate safeguards within the meaning of Article 46 GDPR, they do not, in addition, need to enter into a data (sub-) processing agreement to also fulfil the requirements of Article 28 (3), (4) GDPR.

Nevertheless, the parties remain free to fulfil the requirements pursuant to Article 28 (3), (4) GDPR also by entering into an individually negotiated data (sub-) processing agreement, instead of relying on the Intra-EU/Ex-EU SCCs for such purpose. This is expressly stated in Article 28 (6) GDPR. In such case, it has to be assessed on a case-by-case basis whether the individually negotiated data (sub-) processing agreement fulfils the requirements pursuant to Article 28 (3), (4) GDPR. However, if there is doubt in the future whether or not that is the case data protection authorities might compare the relevant individually negotiated provisions with the corresponding provisions in the Intra-EU/Ex-EU SCCs. In addition, where the parties enter into an individually negotiated data processing agreement and conclude the Ex-EU SCCs with respect to the transfer of data to a third country, it can be questioned whether this risks losing the adequacy protection awarded by the Ex-EU SCCs (see question 3).

4. If EU service providers conclude their own Article 28 contract, do they risk losing the adequacy protection for deviating from the SCCs?

The implementing decision of the European Commission related to the Ex-EU SCCs specifies that the SCCs can be used in whole or in part by the parties, who can include their own DPA. Pursuant to Article 46 (3) (a) GDPR, the authorization from the competent supervisory authority is required if the appropriate safeguards required for transfers in the absence of a decision pursuant to Article 45(3) are based on “contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization”, whereas pursuant to Article 46 (2) (c), the authorization from the competent authority is not required if “standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2)” are used. Therefore, this raises the question whether the use of an Article 28 contract which differs from the provisions of the Ex-EU SCCs will cancel the benefit of using standard clauses and require prior approval from the competent authority. Given the terms of Clause 2 (“Effect and Invariability of the Clauses”) of the Ex-EU SCCs, and in light of Recital 109 GDPR and Recital 3 of the implementing decision, it seems that to the extent the non-standard Article 28 contract does not contradict, directly or indirectly the SCCs or prejudice the fundamental rights or freedoms of data subjects, the Ex-EU SCCs keep their “standard” feature and hence do not lose their adequacy protection.

5. To what extent may EU service providers and their customers agree on limitations of liability in the commercial agreement?

The Ex-EU SCCs allow the parties to include them in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the Ex-EU SCCs or prejudice the fundamental rights or freedoms of data subjects. This leads to the question whether/in which cases limitations of liability might be seen to contradict the standard contractual clauses. On the one hand, the wider contract mentioned above typically also includes a limitation of liability. Also, the Ex-EU SCCs do not state that each party’s liability vis-à-vis the other party shall be unlimited. This argues in favor of the possibility to agree on a market-standard limitation of liability in the wider contract, as long as the limitation of liability does not affect the rights of the data subjects. On the other hand, the Ex-EU SCCs state that “Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.” Therefore, it could be questioned whether the exclusion of certain types of damages constitutes a contradiction from the aforementioned provision because in such case a party would not be liable for “any” (type of) damage. In addition, it is questionable whether otherwise extremely far-reaching limitations of liability could be seen as a contradiction. This is because if a limitation of liability effectively leads to an exclusion of a party’s liability, such party might be discouraged from complying with the Ex-EU SCCs.

The Intra-EU SCCs also allow the parties to include them in a broader contract, or to add other clauses or additional safeguards provided that they do not directly or indirectly contradict the Intra-EU SCCs or detract from the fundamental rights or freedoms of data subjects. However, the Intra-EU SCCs do not contain provisions on liability. Thus, including a limitation of liability in the broader contract is less likely to be seen a contradiction of the Intra-EU SCCs. Nevertheless, any limitation of liability should remain such that it does not discourage a party from complying with the Intra-EU SCCs.

6. Which conditions apply to the engagement of sub-processors?

One of the main missions of the Ex-EU SCCs is to ensure that the level of protection of the transferred personal data is essentially equivalent to that guaranteed within the EU. For this reason onward transfers by the data importer to a third party in another third country is allowed only if the third party accedes to the Ex-EU SCCs, or, if the continuity of protection is ensured otherwise. The international transfer may also be allowed in specific situations, such as on the basis of the explicit, informed consent of the data subject.

The use of sub-processors might be allowed based either on the specific prior authorization of the data exporter, or on general authorization; both types of authorization must be in written form. The parties may agree on the time period within which the data importer must submit its request, together with all necessary information for the data exporter’s decision, for specific authorization to the data exporter. The list of authorized sub-processors must be set out in an Annex of the Ex-EU SCCs and the parties must keep such Annex up to date during their relationship. In case of general authorization the parties must agree on the list of approved sub-processors, that is a new requirement provided by the Ex-EU SCCs. The list of approved sub processors is maintained by the data importer, who must inform the data exporter sufficiently in advance to allow the data exporter to object to such changes.

The contract with the sub-processor must contain the same data protection obligations as those binding the data importer, and the data importer must ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to the Ex-EU SCCs.

7. What applies with respect to audits under the new SCCs?

The Ex-EU SCCs’ Modules 2 (Controller-to-Processor), 3 (Processor-to-Processor) and also 4 (Processor-to-Controller) all include a certain right to conduct audits. For Modules 2 and 3 this includes an obligation of the data importer to provide “all information necessary to demonstrate compliance with the obligations set out in” the Ex-EU SCCs and at the data exporter’s request “allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance” while the data exporter may “take into account relevant certifications held by the data importer”. Module 4 (which would be more relevant for EU service providers supporting non-EU customers) at least contains the obligation of the data exporter to “make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.” The Intra-EU SCCs contains an obligation more or less identical to Modules 2 and 3 of the Ex-EU SCCs.

The clauses remain silent with respect to the cost allocation of audits (as did the old Ex-EU SCCs). Given that with respect to the Ex-EU SCCs there is the option to add other clauses or additional safeguards (e.g., in a broader contract) provided that they do not directly or indirectly contradict the Ex-EU SCCs, one could argue that cost allocation rules can be agreed upon as such do at least not directly contradict the Ex-EU SCCs (the same applies mutatis mutandis for the Intra-EU SCCs). However, it should be considered that guidance exist that questions arrangements where the controller / data exporter needs to bear the audit costs, as this may indirectly prevent such audits to be conducted. The situation should be monitored very closely in this context.

Similar applies to the well-known practice to have a leveled approach with respect to audits, namely:

Step 1: Audits are conducted on the basis of certificates, third party audit reports and other documentation (paper-based audit)

and only to the extent such is not satisfying or given specific circumstances or in case specifically demanded by law in

Step 2 an onsite-audit is conducted.

One could argue though that this is not a new issue as also the old Ex-EU SCCs (see Clause 5 (f)) included a similar obligation as is contained in the new Ex-EU SCCs and Intra-EU SCCs and it was quite common practice to agree on the aforementioned leveled approach. It remains to be seen whether the new SCCs may again fuel this discussion. It goes without saying that both the controller/data exporter and the processor/data importer have a great (and in most cases very mutual) interest in agreeing on such a leveled approach to keep such audits manageable and appropriate.

8. Questions raised by the P2C Module

Given the wording of Art. 44 et. seqq. GDPR it is clear that an EU processor (or processor falling under the applicability of GDPR) needs to adhere to the international data transfer requirements of the GDPR and, hence, needs to implement appropriate safeguards in case data processed for a non-EU controller is transferred internationally. Until the new Ex-EU SCCs no such transfer mechanism was available. With the new Ex-EU SCCs and its Module 4 (Processor-to-Controller) such mechanism exists and allows EU processors to close this gap. It remains to be seen though how “easy” such clauses can be implemented with non-EU customers and whether the underlying requirement and the clauses themselves provide for a competitive disadvantage compared to non-EU service providers. In this context it needs to be taken into account that Module 4 of the Ex-EU SCCs contains quite a set of obligations for the non-EU customer (this includes inter alia an obligation to refrain from any action that would prevent the data exporter from fulfilling its obligations under the GDPR, the necessity to implement appropriate technical and organizational measures to ensure the security of the data, and a (mutual) obligation to assist each other in responding to enquiries and requests made by data subjects).

9. Is the implementation period long enough?

Both the Intra-EU SCCs and Ex-EU SCCs are effective as of 27 June 2021. However, the controllers and processors must use the Ex-EU SCCs as of 27 September 2021 in case they implement new business procedures that involve international transfer of personal data, or would modify the data processing operations that are the subject matter of the currently used contracts. Also, the parties must not rely on their existing contracts that are based on the now repealed SCCs, if such contracts do not ensure appropriate safeguards to the international transfers.

The three-months interim period that is available for controllers and processors to prepare the necessary contractual documentation and implement the necessary technical and organizational measures might be too tight. The adoption of the new measures and set the proper contractual arrangements are usually complex tasks, and would require to assess the whole supply chain, including all sub-processors that are affected and the risks the data transfer creates. What further complicates issues is that two out of available three months fall within in the holiday high season, during which the business and decision making procedures might slow down at the companies.

Author Brian Hengesbaugh

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author Michael Egan

Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.

Author Magalie Dansac Le Clerc

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author Joanna De Fonseka

Joanna advises on a wide range of technology and commercial agreements and matters. Her practice focuses on regulatory issues, especially data protection, consumer law, and advertising and marketing, and she regularly advises clients on these areas in particular.

Author Elisabeth Dehareng

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author Lothar Determann

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Author Francesca Gaudino

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author Dr Lukas Feiler

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author Dr. Maximilian Raschhofer

Dr. Maximilian Raschhofer has more than 10 years of experience in complex tech-related litigations. After graduating from the Law School of the University of Vienna in 2006 as the third best graduate, Maximilian acquired his doctoral degree in the area of data protection and hosting provider liability and acted as Vice Director for the European Center for E-Commerce and Internet Law from 2007 to 2010. From 2010 to 2018 he worked as Associate, Senior Associate and then Counsel at one of Austria’s biggest law firms where he handled complex tech-and health-related matters, in particular administrative (criminal) proceedings and litigations and finally gained valuable in-house experience at one of the largest Austrian insurance corporations, handling in particular GDPR compliance and complex regulatory matters.

Author Stephen Reynolds

Stephen Reynolds frequently advises clients on complex matters involving data privacy and security laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP). Stephen’s expertise adds value to organizations by mitigating cyber threats through proactive preventative measures and navigating complex litigation on behalf of clients in data privacy and security. He is uniquely able to and routinely uses his computer background in cases involving data privacy and security, electronic discovery, social media discovery, and computer forensics.

Author Dr Michaela Nebel

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Author Radoslaw Nozykowski

Radoslaw Nożykowski is a Counsel in the IP Tech/Compliance &Investigations departments at Baker McKenzie Warsaw office. He has over 15 years of professional experience working for clients from technology, finance, media and healthcare sectors. He is recommended by Chambers Europe and Legal 500 in the area of TMT (including privacy compliance).

Author Yann Padova

Yann has extensive experience in dealing with issues pertaining to internet law, data privacy protection, internet surveillance, cloud computing, whistle blowing. He has assisted numerous businesses with complex projects involving information technologies (big data compliance, ethics of algorithm, data governance, profiling, e-discovery procedures, etc.). Yann also advises on compliance disputes.

Author Paul Glass

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author Raul Rubio

Raul Rubio joined Baker McKenzie as a partner in 2011, practicing in the area of information technology and communications. He has over 15 years’ experience, having worked for the Spanish office of a Big Four accounting firm prior to joining Baker McKenzie. Mr. Rubio is a frequent speaker at several universities, law schools and companies, and has given several lectures on topics related to his field. He has written numerous legal articles in business journals and magazines relating to intellectual property, audiovisual law and new technologies.

Author Prof. Dr. Michael Schmidl

Prof. Dr. Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author Benjamin Slinn

Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.

Author Harry Valetk

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author Dr. Csaba Vári

Csaba Vári is head of the Privacy practice for Baker McKenzie in Hungary and a member of the Intellectual Property and Technology group. He provides comprehensive advice to clients on privacy and cybersecurity matters, from European data protection regulations and local privacy laws to e-commerce and cloud services regulation. His work focuses on advice and support to clients regarding data protection impact assessments, data security incident reporting, and responding to queries from data subjects, as well as representation before regulatory authorities and courts.

Author Julia Wilson

Julia Wilson is a partner in Baker McKenzie's Employment & Compensation team in London. She advises senior legal and HR stakeholders on a range of employment and data protection matters.

Author Cristina Messerschmidt

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author Gary Hunt

Gary is an associate in the Chicago office. His practice focuses on regulatory and transactional issues in global privacy and data protection, including cross-border data transfers, data security, data breach notification, global privacy, website privacy policies, behavioral advertising, and comprehensive compliance programs.

Author Simone (Bach) Rieken LL.M.

Simone Rieken is a senior associate in Baker McKenzie's Frankfurt office and a member of the Information Technology Practice Group. Prior to joining the Firm, she worked for a large German corporate law firm, focusing on IT and data protection law. She studied law at the University of Trier and at Queen Mary, University of London and clerked in Hamburg and Los Angeles. She advises national and international companies on all aspects of IT and data protection law. She focuses on data protection with regard to direct marketing and related tracking and profiling activities. Another focus of her practice is on IT (outsourcing) projects and agile software developments.

Author Dominic Panakal

Dominic Panakal is an associate in Baker McKenzie's Privacy and Technology practice, based in the New York office. Dominic was named by National Law Review as a "Go-To Thought Leader" for Cybersecurity.

Author Florian Tannen

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

1. When do the Ex-EU SCCs apply?

2. How should EU service providers supporting EU or non-EU customers use the respective SCCs?

3. May EU service providers supporting EU and non-EU customers continue to rely on their own data processing templates?

4. If EU service providers conclude their own Article 28 contract, do they risk losing the adequacy protection for deviating from the SCCs?

5. To what extent may EU service providers and their customers agree on limitations of liability in the commercial agreement?

6. Which conditions apply to the engagement of sub-processors?

7. What applies with respect to audits under the new SCCs?

8. Questions raised by the P2C Module

9. Is the implementation period long enough?

Related Posts

A legal framework for NFTs and other tradeable assets in video games: the Great French Experiment

Kentucky is Off to the Races: Bluegrass state is 15th to Pass Comprehensive Privacy Law

IAB Europe CJEU decision: key takeaways and impact for the AdTech industry