Are there any significant differences between the existing SCCs, draft GDPR SCCs of November 2020 and the final GDPR SCCs?
Yes. In addition to the modular approach outlined above and the risk-based approach adopted in the GDPR SCCs, some of the material differences may be summarised as follows.
Liability and indemnification
The existing SCCs include an optional indemnification provision pursuant to which the parties agree that, if one party is held liable for a violation of the SCCs committed by the other party, the latter party will, to the extent to which it is liable, indemnify the first party. A similar indemnification provision proposed as mandatory in the November 2020 version of the GDPR SCCs was removed from the final GDPR SCCs.
Each of the four modules includes a liability section consistent with the liability regime set out under GDPR. Art. 82.3 of GDPR however clarifies that a controller or processor is exempt from liability under Art. 82.2 of GDPR if it proves that it is not responsible for the event giving rise to the damage.
Obligation to provide a copy of the GDPR SCCs to data subject
On request, the parties to the GDPR SCCs need to make a copy of the GDPR SCCs including the annexes available to the data subject free of charge. While the parties may redact part of the text of the annexes prior to sharing a copy to protect business secrets or other confidential information, they should (1) provide a “meaningful summary” where the data subject would otherwise not be able to understand its content or exercise his/ her rights and (2) on request, provide the data subject with the reasons for the redactions “to the extent possible without revealing the redacted information”.
How much time do we have to act?
Further to being published in the EU Official Journal on 7 June 2021
5
, the GDPR SCCs will enter into force on 27 June 2021. Existing SCCs may continue to be used until 27 September 2021.
However, existing SCCs entered into before 27 September 2021 will need to be replaced by the final GDPR SCCs by 27 December 2022.
A careful and detailed review of the final GDPR SCCs will be required to assess any material changes from the draft GDPR SCCs published in November 2020, given that the European Commission took into account the 148 feedback submissions from the public consultation and the joint opinion. 1/2021
6
issued by the EDPB and European Data Protection Supervisor (“EDPS”)
7
in January 2021 (“Joint Opinion”).
Practical Considerations for your Business
Should the GDPR SCCs be entered into as a standalone contractual arrangement?
Not necessarily. The parties to the GDPR SCCs are free to include the GDPR SCCs in a wider contract, namely the primary commercial agreement between the parties.
Can the GDPR SCCs be negotiated by the parties entering into this transfer mechanism?
Yes. While the data exporter and data importer may not amend the terms set out in the GDPR SCCs, the parties may add other clauses or additional safeguards “provided that they do not contradict, directly or indirectly, the [SCCs] or prejudice the fundamental rights or freedoms of data subjects.”
Specific provisions to consider?
While the CJEU confirmed in the Schrems II Decision that SCCs remain valid on the basis, amongst other things, it “incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law”, the data exporter and data importer should provide additional safeguards in using contractual commitments supplementing the SCCs. The focus, therefore, would be for the financial institutions, both as data exporter and data importer, to assess what “Supplementary Measures” may need to be implemented, in addition to the technical and organisational measures already in place.
Assessment of the law in the relevant third country
The parties to the GDPR SCCs, amongst other things, must warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under the GDPR SCCs. The risk-based assessment of the laws and practices of the third country of destination must be documented and made available to the competent data protection authority on request.
Supplementary Measures?
The EDPB and EDPS have indicated in their Joint Opinion that the assessment of the legislation of the third country of destination, which may prevent the data importer from fulfilling its obligations under the GDPR SCCs in connection with a specific transfer, should be based on “objective factors” regardless of the likelihood of access to the personal data. Objective factors include aspects such as (a) the purposes for which the data are transferred and processed (e.g. marketing, HR, storage, IT support), (b) the types of entities involved in the processing (public/private), (c) the sector in which the transfer occurs (e.g., telecommunication, financial), (d) the categories of personal data transferred and, (e) the format of the data transferred (i.e. in plain text, pseudonymised or encrypted).