Before considering some of the key steps to undertake in implementing the new EU SCCs, we will give a brief overview of the EU SCCs construct.
• A brief overview of the EU SCCs
The EU SCCs consist of four main sections and three annexes.
The first general section (1) describes the purpose and scope of the EU SCCs, (2) clarifies which terms of the EU SCCs may be invoked and enforced by data subjects as third party beneficiaries, (3) indicates any terms used in the EU SCCs have the meaning given to them under GDPR, (4) clarifies the EU SCCs terms will prevail should there be any conflict with any other agreement the parties to the EU SCCs may have entered into and (5) describes the transfer. In addition, the first general section includes an optional clause (the "docking clause"), according to which the parties to the EU SCCs may wish to add a third party either as a data exporter or data importer by completing and signing Annex A.1.
The second section, specific to the parties' obligations, adopts a "modular approach" and offers four options, depending on the type of processing and parties associated with such processing. The four modules of the EU SCCs are:
• (1) controller to controller (C2C),
• (2) controller to processor (C2P),
• (3) processor to processor (P2P); and
• (4) processor to controller (P2C).
The modular approach applies to both the basic terms regarding data protection safeguards (such as accuracy and data minimisation, storage limitation, security of processing and reporting of a data breach) and provisions in connection with local laws, which may affect compliance with the EU SCCs, including the use of sub-processors and liability terms.
The
third section of the EU SCCs
relates to the local laws and obligations governing access by public authorities. In particular, the parties to the EU SCCs must conduct and document an assessment in connection with the laws and practices in the third country of destination applicable to the processing of personal data.
The
fourth section of the EU SCCs
features
various general provisions
, including, for instance, the obligation on the data importer to promptly inform the data exporter if it is unable to comply with the EU SCCs. Furthermore, EU SCCs should be governed by the laws of an EU Member State, provided that such laws allow for third-party beneficiary rights.
Lastly, the EU SCCs include
three annexes
, namely to describe (1) the list of
parties
, the
type of transfer
and
competent authority
, (2) the
technical and organisational measures
agreed upon between the parties and (3)
the list of sub-processors
.
• Other considerations?
On 25 May 2022, the European Commission published a
Q&A
4
to the new EU SCCs
to address in 44 questions feedback from various stakeholders on their experience using the latest EU SCCs since their adoption in June 2021. The Q&A is intended to be "dynamic" and may be updated as new questions arise. Some of the important questions addressed include questions such as whether the parties to the EU SCCs may add additional clauses to the EU SCCs or incorporate the EU SCCs into a broader commercial contract. Other questions relate to whether the liability under the EU SCCs can be limited by general liability clause in the main commercial agreement.
In this respect, the parties to the EU SCCs are free to include the EU SCCs in a wider contract, namely the primary commercial agreement between the parties. In addition, while the data exporter and data importer may not amend the terms set out in the EU SCCs, the parties may add other clauses or additional safeguards "provided that they do not contradict, directly or indirectly, the (SCCs) or prejudice the fundamental rights or freedoms of data subjects." The Q&A also clarifies that the liability clauses of the EU SCCs
do not affect the liability provisions that may apply to other aspects
to the contractual relationship between the parties.
• Some of the key implementation steps include:
1. Determine which parties are processor and/or controller, respectively
On 7 July 2021, the EDPB adopted the updated Guidelines 07/2020 Version 2.0 on the concepts of controller and processor in the GDPR
5
. These important Guidelines provide guidance on the concepts of controller and processor with concrete examples concerning these concepts.
When selecting the relevant module (C2C), (C2P), (P2P), or (P2C) for the purpose of the EU SCCs, a careful review of the above Guidelines would be expected to ensure the relevant parties are correctly identified as either controller and/or the processor.
2. Conduct and document a transfer impact assessment (“TIA”) The parties to the EU SCCs, amongst other things, must warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of personal
data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under the EU SCCs.
It means that the parties to the EU SCCs must conduct a TIA of the relevant laws and practices of the third country. Furthermore, the risk-based assessment of the laws and practices of the third country of destination must be documented and made available to the competent data protection authority upon request.