The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have adopted joint opinions on two sets of standard contractual clauses (SCCs), one opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries.
The text of both opinions together with their annexes can be found here.
The first one, the Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
Several amendments were requested in order to bring more clarity to the text and to ensure its practical usefulness in day-to-day operations of the controllers and processors. These include the interplay between the two documents, the so-called "docking clause" which allows additional entities to accede to the SCCs, and other aspects relating to obligations for processors. Additionally, the EDPB and EDPS suggest that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity - any ambiguity would make it more difficult for controllers or processors to fulfil their obligations under the accountability principle.
The second one, the draft SCCs for the transfer of personal data to third countries pursuant to Art. 46 (2) (c) GDPR will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as taking into account the CJEU ‘Schrems II’ Judgment, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination impact compliance with the clauses, in particular in case of binding requests from public authorities for disclosure of personal data.
Nevertheless, the EDPB and EDPS are of the view that several provisions could be improved or clarified, such as the scope of the SCCs; certain third-party beneficiary rights; certain obligations regarding onward transfers; aspects of the assessment of third country laws regarding access to public data by public authorities; and the notification to the SA.
EDPB Chair Andrea Jelinek added: "The conditions under which SCCs can be used must be clear for organisations and data subjects should be provided with effective rights and remedies. In addition, the SCCs should include a clear distribution of roles and of the liability regime between the parties. As regards the need, in certain cases, for ad-hoc supplementary measures in order to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU, the new SCCs will have to be used along with the EDPB Recommendations on supplementary measures.”
The EDPB and the EDPS invite the Commission to refer to the final version of the EDPB Recommendations on supplementary measures, should the final version of the recommendations be adopted before the Commission’s SCC decision. This document was submitted for public consultation and is still subject to possible further modifications on the basis of the results of the public consultation.
For FEBIS members, it is an important topic as many members have data transfers out of the EU and that rely on a controller-processor SCC. The FEBIS Regulatory Committee had already tackled it and will discuss the topic again at one of its next calls.