On 4 June 2021, the European Commission published a new model contract for the transfer of personal data to countries outside the European Economic Area (EEA). This article discusses the consequences of this for daily practice.
In a nutshell
- The new model contract can be used for the concerned international transfers as from 27 June 2021, whereby a data transfer impact assessment will also have to be carried out and, if necessary, additional commercial agreements can be made;
- The previous model contracts may no longer be used for new transfers or transfers in which the underlying processing changes as of 27 September 2021, because the validity of the previous model contracts will be revoked as of that date; and
- As of 27 December 2022, existing transfers can no longer be legitimised on the basis of the former model contracts either, and transfers will therefore only be permitted on the basis of the new model contract or another legitimate ground.
The General Data Protection Regulation (GDPR) aims to harmonise the processing of personal data within the EEA. One of its objectives is to facilitate the free movement of personal data within the EEA.
Transfers of personal data to countries outside the EEA are only allowed if certain conditions are met. A popular solution is the use of Standard Contractual Clauses (SSCs) approved by the European Commission.
The EU Court of Justice previously ruled in the Schrems II judgment that these Standard Contractual Clauses may only be used if an equivalent level of protection can be ensured in practice.
Previous model contracts
Although the model contracts from 2004, 2010 and 2014 are popular, their use in practice has not always been easy. This goes beyond the discussion about the lawfulness of the model contracts on which the EU Court of Justice ruled in Schrems II.
The model contracts only concern the transfer between two data controllers or one data controller and one processor, whereas in practice many more variants are possible, such as the transfer from one (sub)processor to another (sub)processor.
The model contracts have also (explicitly) remained valid when the GDPR entered into force, but their content is not entirely in line with the GDPR. This is illustrated, for example, by the absence of (explicit) provisions on dealing with data breaches.
New model contract
It is therefore encouraging that the European Commission has now published a new set. This set was offered for consultation on 12 November 2020 and published in its final form on 4 June 2021, and can be used as from 27 June 2021.
The new set has been radically amended in terms of content. First and foremost, it is worth noting that the new model contract supports many more variations, such as
- the transfer from a processor to a controller and the transfer from a (sub)processor to a (sub)controller;
- the transfer in which the GDPR applies because the data subjects are located in the EEA, while the controller is not established there; and
- the transfer where more than two parties are involved and the group of parties expands over time (“docking provision”).
The only variants that do not seem to be supported are the situation where the processing by the data importer is covered by the GDPR or the situation where the transfer of personal data is regulated under the UK variant of the GDPR.
What is also significant is that the new Standard Contractual Clauses expressly take into account the Schrems II case, in which the principles on which the EU Court of Justice judged the Standard Contractual Clauses to be permissible in principle have been retained.
The new Standard Contractual Clauses stipulate in addition that the data exporter will have to perform a data transfer impact assessment and what this assessment should satisfy. This assessment should be made available to the supervisory authority upon request.
The safeguards against interference by a third country government authority have also been strengthened, such as:
- wherever possible, the data importer should inform the data exporter and data subjects about a request for access by a public authority;
- the legitimacy of a request should be challenged by the data importer and, if possible, suspended (temporarily); and
- the data importer should document the steps taken and should separately publish a transparency report containing more generic statistics on this issue.
In comparison with the consultation version of 12 November 2020, it is also noticeable that many commercially oriented provisions have been deleted in the final version, such as agreements on the costs of audits. Apparently, the European Commission did not want to get involved in such matters.
In practice, this means that organisations can make additional agreements on these matters. The Standard Contractual Clauses allow additions, as long as they do not conflict with the content of the Standard Contractual Clauses and do not infringe the fundamental rights of data subjects.
Data processing agreement
If the Standard Contractual Clauses are concluded between a controller and a processor, it is no longer necessary to conclude a separate data processing agreement. All mandatory topics are covered by the Standard Contractual Clauses.
On 4 June 2021, the European Commission also published a standard data processing agreement that a controller and processor within the EEA can conclude with each other.