10 Things to Know about the European Commission’s Questions and Answers on the GDPR Standard Contractual Clauses

Part 1: Summer Global Privacy Roundup Series – What You Should Not Miss for Legal and Regulatory Developments

On June 4, 2021, the European Commission (the “Commission”) published its implementing Decision adopting standard contractual clauses for transfer of personal data to third countries (the “SCCs”) designed to comply with the General Data Protection Regulation (“GDPR”), taking account the Schrems II judgment of the Court of Justice of the European Union. The Decision went into effect on June 27, 2021. Since September 27, 2021, all new contracts and processing activities have been required to use the new SCCs; companies have until December 27, 2022, to migrate contracts concluded before this date to the new SCCs. See some previous articles from Orrick discussing the new SCCs from June 2021, from September 2021, and from November 2021 for more background.

On May 25, 2022, the Commission published a 24-page Q&A document covering a wide range of questions based on the feedback it received from various stakeholders on their experience in the first months after the new SCCs’ adoption and indicated that the Q&A will continue to be updated as new questions arise. This Article focuses on key insights of interest where we often see a deviating practice:

  1. When should different modules of the SCCs be used? The Q&A illustrates and clarifies situations for which each module of the SCCs is applicable. For instance, it clarifies that Module 3 applies specifically in situations where a processor within the EEA transfers data to a sub-processor outside the European Economic Area (the “EEA”) that is not subject to the GDPR (See Q&A #27).
  2. How should modules and options of the SCCs be used in contracts? The Q&A states that parties should only agree to the clauses relevant for their specific situation and delete the modules and/or options that do not apply to them, implying that general references to the SCCs are not sufficient (See Q&A #9). This is further corroborated by the requirement that, when requested by individuals whose data has been transferred outside the EEA based on SCCs, the parties must provide a copy of the clauses as they have been used (See Q&A #32).
  3. How should contracts using the SCCs be formalized? The Q&A clarifies that the SCCs do not provide specific requirements as to how signatures should be formalized for a contract that use the SCCs (for instance, whether wet signatures are required) (See Q&A #6). Parties should therefore simply adhere to the requirements of the relevant jurisdictions for formalizing contracts.
  4. Can liability under SCCs be limited by general liability clauses? The Q&A specifies that for liability for violations of the SCCs, parties cannot deviate from the liability schemes as laid out in the SCCs, even for liability between the parties of the contract. Clauses in the broader contract “may not contradict or undermine [the] liability schemes of the SCCs” for liability for violations of the SCCs (See Q&A #35).
  5. What role do the Annexes play? The Q&A emphasizes the role that the Annexes play in the SCCs. Parties must clarify in the Annexes which specific data transfers they intend to apply the SCCs (for instance, the category of personal data and the purpose), the respective roles of the parties, competent supervisory authority/authorities, and requirements around data security and processing of sensitive data (See Q&A #21, #39). As new parties are added or “docked” using the optional Docking Clause in the SCCs, the Annexes must be updated and the new party must sign Annex I of the SCCs, shedding some light on how the docking clause may work in practice (See Q&A #12, #13).
  6. Must processors provide specific names of its sub-processors to the controller? The Q&A clarifies that, regardless of whether parties opt to use prior specific authorization or general written authorization for use of sub-processors, the processor must provide the name(s) of the individual sub-processors to the controller within the time period agreed on by the parties; providing only categories is insufficient (See Q&A #16). If using general written authorization, the processor must inform in writing the controller of any intended changes of the agreed list of sub-processors, and if the controller objects, the processor may not engage the new sub-processors (See Q&A #17). The Q&A document does not provide further clarification on what constitute a sufficient written notice to controllers.
  7. Who can use the SCCs? The Q&A reaffirms that the SCCs are not to be used for data transfers to importers whose processing operations are directly subject to the GDPR (See Q&A #24), but it can be used for data transfers from a non-EEA controller or processor whose processing is subject to the GDPR to a non-EEA controller or processor that is not subject to the GDPR (See Q&A #23). This implies that in a case where a controller C within the EEA transfers data to a processor P outside the EEA but subject to the GDPR, who in turn transfers data to a sub-processor S outside the EEA that is not subject to the GDPR, the SCCs cannot be used for the data transfer from C to P, but can be used for the data transfer from P to S. The Q&A states that it is working on an additional set of SCCs for transferring data to non-EEA data importers that are subject to the GDPR but does not provide further guidance on this scenario (See Q&A #24).
  8. When using Module 2 or Module 3, should parties enter a separate agreement for Article 28 requirements? The Q&A reaffirms that Modules 2 and 3 of the SCCs incorporate the requirements of Article 28 (general requirements for data processors); by using these Modules, parties need not enter into a separate data processing agreement that passes down the exact language of Article 28 requirements (See Q&A #29). However, as discussed in a previous article, companies may want to consider an additional agreement which provides additional details that articulate the parameters of the Article 28 requirements.
  9. Is a transfer impact assessment always necessary when transferring data outside the EEA? The Q&A clarifies the requirement of clause 14 of the SCCs and explains that transfer impact assessments are not always required in transferring data outside the EEA depending on the actual data being transferred internationally. A transfer impact assessment does not need to be completed when relying on Module 4 for an EEA processor to return data it has received from its non-EEA controller to that controller, since the personal data was originally processed outside the EEA. However, if the data transferred by the processor includes personal data originating in Europe, a transfer impact assessment is still necessary (See Q&A #40, #44).
  10. How should data importers, bound by the SCCs, handle access requests from public authorities or courts? The Q&A states that data importer, to the extent allowed by the national law, must notify the data exporter if it receives legally binding requests from a public authority or court in the third country to disclose the personal data transferred and provide at regular intervals aggregate information about access requests the importer has received. The importer must also notify the exporter if it is no longer able to comply with the SCCs (for instance because there was a change in the laws of the third country) (See Q&A #41).

The authors wish to give special thanks to summer associate Christina Lee for contributing to this piece.