Transfer of personal data awaits change – the European Commission is preparing new standard contractual clauses
What are standard contractual clauses?
Standard Contractual Clauses (SCC) is one of the instruments enabling the legal transfer of personal data to third countries (outside the EU/EEA) that do not provide an adequate level of protection of personal data. They have the form of template contractual provisions, which data exporters incorporate into transfer agreements to introduce an acceptable level of data transfer security.
Although the GDPR has been in use in the European Union for more than 2 years, to this day, 3 sets of standard contractual clauses have been in use, which were still introduced on the basis of Directive 95/46/EC (replaced by the GDPR). The oldest European Commission decision on the standard contractual clauses dates back to 2001.
The European Commission decisions approving the standard contractual clauses on the basis of Directive 95/46/EC will remain in force until they are amended, replaced or repealed – which should happen soon.
These changes are long awaited because the previous sets of contractual clauses did not contain all the elements of a transfer agreement required under the GDPR and referred in their content to the previous legal status.
Who will be able to apply the new contractual clauses?
Standard contractual clauses are one of the solutions for entities that transfer personal data outside the EU/EEA to countries for which the European Commission has not issued an adequacy decision, e.g. the USA, China or India. This is especially relevant for the United States, where until recently personal data could be transferred on the basis of the Privacy Shield scheme annulled by the decision of The Court of Justice of the European Union in the „Schrems II” case.
In addition to a set of standard contractual clauses for the transfer of personal data outside the European Union, the European Commission has also prepared a completely new set of clauses for use in controller-processor relations, also within the EU.
How to apply the standard contractual clauses?
Standard contractual clauses are a set of ready-made contractual provisions for the processing of personal data. They may constitute a separate contract between the parties or be part of the main contract, e.g. for the provision of services.
Standard contractual clauses should not be treated as a comprehensive regulation of personal data transfer. It is acceptable and even recommended to supplement the standard contractual clauses with additional data protection safeguards, tailored to the specific circumstances and needs of the parties. However, it should be noted that such additional provisions must not contradict the content of the standard contractual clauses or violate the fundamental rights or freedoms of the data subjects.
The use of the standard contractual clauses is one of the easier instruments for data transfer, as it does not require the consent of the data subjects or notification to the President of the Office for Personal Data Protection. The form of ready-made contractual clauses is willingly used by entrepreneurs.
Finally, it is worth recalling that standard contractual clauses can also be introduced by national supervisory authorities after approval by the European Commission. However, so far in Poland no set of clauses has been adopted in this way.