Standard Contractual Clauses (SCCs) aim to protect personal data leaving the EEA and therefore to countries that do not have an adequacy decision and therefore may not provide the same level of security for personal data. The CCT guarantees through contractual obligations that the data is protected to a level required by the GDPR. The COLLECTIVE SHALL DEFINE THE RIGHTS AND OBLIGATIONS OF THE CONTROLLER AND THE PROCESSOR WHEN PROCESSING PERSONAL DATA ON BEHALF OF THE CONTROLLER. The clauses aim to ensure that each is GDPR compliant, contain obligations on both sides and set out rights for the individuals whose personal data is transferred. The guidelines also suggest writing to U.S. companies asking what steps they are taking to prevent communications from being intercepted by the NSA. It is argued that the U.S. government can break very strong encryption. So far, it has adopted two standard contractual clauses for data transfers from data controllers in the EU to controllers based outside the EU or the European Economic Area (EEA). This customer alert is intended to help explain the possible uses of these new standard contractual clauses.
The decision on the new NCC for the transfer of personal data to third countries provides for two transitional periods (or grace periods) to allow stakeholders to change their contractual framework. These will replace the old 2010 Standard Contractual Clauses. The new clauses reflect changes implemented with the eu`s new data protection law, the General Data Protection Regulation (GDPR) of 2018. The GDPR restricts the types of personal data that can be legally transferred. In this context, the European Commission launched the process of adopting these standard contractual clauses on 12 November 2020 with the adoption of draft implementing decisions for new CBAs and standard contractual clauses for DPAs. The decisions adopted on 4 June 2021 take into account the joint opinion of the European Data Protection Board (EDPS), feedback from stakeholders and the views of Member States` representatives.  See Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors, in accordance with Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council; and Commission Implementing Decision (EU) 2021/914 of 4. June 2021 on standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council. On 4 June 2021, the Commission published two sets of new CBAs. The first sentence replaces the former CCN for cross-border data transfers to third countries. The second sentence is intended to be used between controllers and processors – previously, organisations had to create their own contractual conditions to comply with the obligations between the controller and the processor under the GDPR, which is likely to bring much more consistency to these relationships.
Some state surveillance is acceptable in this context. For example, when security services must request an arrest warrant before requesting personal data from a company. Unfortunately, some U.S. surveillance laws do not meet this standard. The publication of the final version of the Standard Contractual Clauses, and in particular the new SCC on the transfer of personal data to third countries, was eagerly awaited. for data importers who are subcontractors, modules two and three also contain the mandatory clauses of the GDPR mentioned above in Set One; In the case of CLAs, both companies subject the transfer to a legally binding agreement that contains clauses ensuring that the recipient of the third country protects the personal data. The GDPR establishes specific and mandatory clauses that must be included in contracts between controllers and processors when these processors process personal data from the EU on behalf of these data controllers. These mandatory clauses, as well as other recommended clauses, have been summarised by the European Commission in a single document for the convenience of the parties: this SET One SCCs.
These set-one CCTs are primarily intended for use for intra-EU transfers or other transfers to data processors where Set Two SCCs are not required. As we have seen in the recent past with the entry into force of the GDPR and the California Consumer Privacy Act (CCPA), the introduction of new requirements and the implementation of data protection regulations in various contractual relationships can take a long time. For more information on the new CCAs, compliance or other questions on this topic, please contact the authors or Mark Melodia, Chair of Holland & Knight`s Data Strategy, Security and Privacy team. The new standard contractual clauses require companies to provide employees with more information about data transfers than before under the GDPR. “Multinational employers with employees in the EU may need to review and redistribute the data processing notices they have previously provided to employees,” Gordon confirmed. The implications of the adoption of these standard contractual clauses by the European Commission are different for the two scenarios. These decisions aim to provide companies with more comprehensive contractual tools that they can implement before processing or transferring personal data from the EEA in accordance with the new requirements of the GDPR. Unlike the old CCT, which only applied to controller-to-controller (“C2C”) and controller-to-processor (“C2P”) transfers outside the EEA, the new SCCs include various modules that the parties can select and complete depending on the circumstances of the transfer (C2C, C2P, P2P and P2C).
In addition, the new CLAs that apply to the transfer of personal data outside the EEA take into account the judgment of the Court of Justice of the European Union (“CJEU”) of 16 July 2020 in the Schrems II case. In this article, we will explain what CLAs are, why you need them, and how to use them. We`ll also discuss some of the additional safeguards you may need to implement as a result of recent legal developments. Standard Contractual Clauses (SCCs) are an important means of ensuring the legal and secure transfer of personal data from the European Economic Area (EEA) to “third countries” (non-EEA countries). The European Commission may decide that the standard contractual clauses provide sufficient safeguards for data protection so that data can be transferred internationally. The European Centre for Digital Rights (led by the person who filed the Schrems II case, Max Schrems himself) has produced guidance on what companies should do if they want to continue using CSCs to transfer personal data from the EEA to the US. The new CLAs have a modular structure of clauses that data exporters will use depending on the nature of their roles and responsibilities with regard to the transfer of data in question: on the one hand, the standard contractual clauses for data protection authorities aim to provide an optional set of clauses that controllers and processors use to perform contracts in accordance with Article 28 of the GDPR power. However, each data protection authority is directly subject to Article 28 of the GDPR and does not require the use of clauses approved by the European Commission or EU supervisory authorities to be valid. In addition, many supervisory authorities have published and published similar DPA templates in order to provide guidance to controllers and processors.  However, the standard contractual clauses for data protection authorities adopted by the European Commission may offer additional convenience to companies and organisations involved in the cross-border processing of personal data that cannot rely on the guidelines of their (lead) supervisory authority.
Under the new CBAs, the European Commission has adopted a single set of clauses in a contract comprising three types of provisions: (i) fixed clauses that must remain unchanged regardless of the parties implementing the new CLAs; (ii) the modules to be added/removed from the final contract, depending on the parties performing the new CLCs (C2C, C2P, P2C and P2P) and their choice from the available options; and (iii) empty clauses and annexes to be filled in and filled in by the parties with the relevant information (e.B. categories of data transmitted, data subjects, etc.). The use of these standard contractual clauses for data protection authorities will give controllers and processors a certain additional degree of security with regard to their compliance with Article 28 of the GDPR, in particular vis-à-vis supervisory authorities or national courts in the event of a dispute. Although data protection authorities that do not comply with the standard contractual clauses of the European Commission or supervisory authorities are not illegal per se, they should be subject to scrutiny if they are the subject of disputes or if they are in the sights of the authorities. As expected, the updated CLCs also include strong protection for those affected. The general responsibilities of the data exporter under the GDPR include providing data subjects with information about the intention to transfer their personal data, including the categories of personal data processed, the right to obtain a copy of the Standard Contractual Clauses and any disclosure. .