Putting the F and the Q in #cryandpray: EC FAQs on the new SCCs

European Commission issues FAQs on the New SCCs.

SCCs are a “ready-made” and easy-to-implement tool. This is particularly important for SMEs or other companies that may not have the resources to negotiate individual contracts with each of their commercial partners. Well, not so much for the US and if you are doing a #TIA but let's roll

What do you need to know?

Cross Border Transfer SCCs

(1) Who can use the SCCs:

• The SCCs can be used by non-EEA controllers and processors for data transfers related to these processing operations to non-EEA entities, in particular: (a) By a controller outside the EEA whose processing is subject to the GDPR to a controller or processor outside the EEA that is not subject to the GDPR; (b) By a processor outside the EEA whose processing is subject to the GDPR to a sub-processor or to a controller outside the EEA (on whose behalf it is processing the data) that is not subject to the GDPR
• They CANNOT be used for data transfers to controllers or processors whose processing operations are directly subject to the GDPR. The European Commission is in the process of developing an additional set of SCCs for this scenario.
• The SCCs are designed for a commercial context and are not adapted for data transfers to international organisations.

(2) Do you need a signature?

• Yes, you need a signature for Annex I of the SCCs and you have to provide your contact information.
• When adding a party, after the existing Once parties agree, the new party will need to complete the Annexes and sign Annex I of the SCCs in order to make such accession effective. Amending the main agreement to which the SCCs are annexed, by adding parties to that agreement, is not sufficient to add parties to the SCCs
• However, depending on the national law governing the agreement, this signature may be electronic.

(3) Permitted Changes.

• Only changes allowed are: (i) selecting the right module; (ii) completing the text indicated by square brackets; (ii) filling in the Annexes and (iv) adding additional safeguards.
• You can supplement the SCCs with additional clauses or incorporate them into a broader commercial contract, as long as the other contractual provisions do not contradict the SCCs, either directly or indirectly, or prejudice the rights of data subject (ie. you can't include a complete exculpation from liability or bypass the sub-processor authorization requirement).
• How to incorporate into the general contract such that they SCCs are binding - depending on the applicable local law requirements.

(4) Use of the Modules / Contractual Matters

• You need to extract the modules that apply and delete the modules or options that do not apply. (Read: Looks like just referencing to the changes as part of your contract is not enough, you need an actual SCC document)
• Consent of existing parties to new parties acceding to the clauses is is not regulated by the SCCs, but should be done in accordance with relevant provisions of the national law governing the SCCs (i.e. contract law).
• When new parties are added - The Annexes to the SCCs must be updated.
• You can agree to several modules at the same time if you assume different roles for different data transfers taking place between entities as part of their overall contractual relationship.
• You have to complete the Appendix with specificity including: Categories of data subjects whose data is transferred, Categories of personal data transferred, Purposes of the transfer and further processing, Nature of the processing and Period for which the data will be retained or the criteria used to determine that period.

(5) Rights of Individuals

• You must provide to the individual, on request and free of charge, with a copy of the clauses, as they have been used. This needs to include the completed and signed annexes. A general reference to the SCCs as adopted by the European Commission (e.g. by providing a link to the Commission’s website) is not sufficient. You may only redact information that concerns business secrets or other confidential information (e.g. personal data of other individuals), but have to explain why it was left out. If the remaining text becomes too difficult to understand, the parties must provide a meaningful summary of the redacted parts
• Individuals have the right to obtain information (e.g. on the data that is transferred, the purpose of the processing, the recipients with whom your data has been or will be shared, and the right to lodge a complaint with a supervisory authority) from the entity that is responsible for the processing of your data (i.e. the ‘controller’).

(6) Liability

• Clauses in the broader (commercial) contract (e.g. special rules on the distribution of liability, liability caps in the relationship between the parties) may not contradict or undermine these liability schemes of the SCCs
• This only applies to liability for violations of the SCCs themselves. The liability clauses of the SCCs do not affect liability provisions that may apply to other aspects of the contractual relationship between the parties.

(7) SchremsII things

• The SCCs Clause 14 should not be read in isolation, but should be used together with the detailed guidance prepared by the European Data Protection Board (EDPB).
• The data importer should promptly notify the data exporter if it receives a legally binding request from a public authority or court in the third country to disclose the personal data transferred. Similarly, it should notify the exporter if it becomes aware of any direct access (e.g. interception) by public authorities to such data
• If the data importer is not allowed to notify about specific instances of government access, it should use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. In case the data exporter is itself a processor, it has to forward the notification to its controller
• Data importer should provide the data exporter at regular intervals with aggregate information about access requests it has received
• The data importer has to notify the concerned individuals if it receives a legally binding request from a public authority or court in the third country to disclose personal data concerning them
• It may be difficult in practice to contact the concerned individuals (e.g. because the data importer has no direct relationship with the individuals). In this respect, Clause 15.1(a) makes clear that the data importer may use the help of the data exporter (who may have a direct relationship with the individuals)
• If the importer considers that there are reasonable grounds to consider the request unlawful (e.g. if it is evident that the requesting authority has exceeded its powers), it should make use of the procedures available under its domestic law to challenge the request. If the data importer has challenged a request and considers that there are sufficient grounds to appeal the outcome of the procedure in first instance, such appeal should be pursued.
• When relying Module 4, you do not have to comply with Section III and no need to carry out a transfer impact assessment. Since the personal data was originally processed outside the EEA, where it was already subject to the domestic legal framework. There is therefore no need for the parties to carry out a “transfer impact assessment” (Clause 14) or comply with the obligations concerning access by public authorities to the data (Clause 15).
• The exception does not apply (and the parties therefore have to comply with Section III), if the data that is transferred by the processor (data exporter) to its controller (data importer) also includes personal data originating in Europe

Controller Processor Clauses

• Controller instructions can take any form, provided that they are subsequently documented.
• You MUST provide the names of your processors and sub-processors to your controller. Categories of processors are not enough.
• The SCCs do not specify the time period for the processor to notify the controller of a data breach concerning data processed by the processor. Clause 9.2 of the SCCs indicates that this has to be done “without undue delay”. It is therefore for the parties to determine this period taking into consideration the particular circumstances of the data processing at stake.