New EU standard contractual clauses – data transfer to third countries now legally secure?

Finally, the standard contractual clauses are adapted to the GDPR and take into account the ECJ case law on the Privacy Shield.

Attention, all already concluded standard contractual clauses must be updated within 18 months, until 27 December 2022.  All newly concluded contracts must take into account the new standard contractual clauses from 29 September 2021.

How are the standard contractual clauses concluded in practice?

In practice, the standard contractual clauses are usually provided by service providers in these forms:

  • Individual contract – Especially when contracting with companies that do not work on a large scale for EU clients, the standard contractual clauses are provided in the form of a contract (usually as a PDF file), which is then signed or signed individually.
  • Part of T&Cs – Large US providers offer standard contractual clauses as parts of or attachments to their T&Cs, so that the standard contractual clauses are automatically concluded with the conclusion of the contract (example of the email platform MailChimp).

However, the conclusion of the standard contractual clauses alone is not sufficient. The level of data privacy must be examined in each individual case. For example, the ECJ and the data privacy supervisory authorities do not reject the transfer of data to third countries (e.g. USA), but would like to have the security checked.

  • Checking the text of the contract – you must check whether the correct standard contractual clauses have been chosen for the respective contractual constellation and whether their content has not been changed. You also need to check that the annexes have been properly completed.
  • Checking the actual level of data protection – You must also check whether the promises to provide an adequate level of data privacy are actually complied with. This means that you must check whether the risk of access to the data by US authorities, as described by the ECJ, is prevented. To ensure an adequate level of data privacy, e.g. encryption procedures, pseudonymisation, server location in the EU or also a low risk for the data of the data subjects contribute.

However, there are interpretation misunderstandings in the recitals of the new standard contractual clauses, contained in point 7:

The standard contractual clauses may only be used for such data transfers to the extent that the processing by the data importer does not fall within the scope of Regulation (EU) 2016/679.

This recital would mean that the standard contractual clauses would always not have to be concluded if, for example, a US Cloud service falls under the GDPR. This would be the case, for example, if Dropbox, Microsoft Cloud or Google Cloud were also aimed at EU citizens. If an EU company then stores customer data in this Cloud, for example, no standard contractual clauses could / would have to be concluded with Dropbox, Microsoft or Google. However, this result contradicts the wording of Art. 44 et seq. GDPR, which does not provide for such an exception in the case of processing in a third country. It is therefore to be hoped that the EU Commission will soon publish an interpretation aid for its erratic interpretation guidelines.

This means that you must become active and take the following measures:

  • Take stock in your own company – check whether data of customers, users, members, etc. are processed in third countries and especially in the USA (or by companies located in these countries).
  • Take stock of subcontractors – It must also be checked whether subcontractors and service providers, e.g. the web host or accounting service, use providers from third countries / USA (e.g. rent servers from Amazon Webservices).
  • Request for new standard contractual clauses – Third country providers must be asked to provide the new standard contractual clauses (alternatively, although less common, standard contractual clauses can be provided to them for review and signature). Similarly, subcontractors must be asked whether corresponding standard contractual clauses have in turn been concluded with their subcontractors in third countries (ideally, copies should be requested).
  • Request for security measures – The providers from third countries must be asked to name the security measures with which the special risks of the third-country transfer are mitigated (e.g. encryption, server location in the EU, pseudonymisation). Subcontractors must also be asked whether their subcontractors from third countries have provided evidence of corresponding security measures (ideally, they should also be asked to provide a list and copies of the confirmations).
  • Checking the standard contractual clauses – you must check that the modules of the standard contractual clauses are correctly selected, that their text has not been modified and that the annexes are properly completed.
  • Verification of the level of data privacy – You must verify, on the basis of the notified security measures, whether a sufficient level of data privacy is ensured for the respective processing of the data by service providers and subcontractors.
  • Logging – you must record the audit procedures for evidence purposes (e.g. in a table with providers, times of requests, results and justification of your audit result).

Recommendation

Even though the end of 2022 is still far in the future, you should urge your contractual partners to replace the standard contractual clauses as soon as possible. Especially because the new standard contractual clauses implement the demands of the data privacy supervisory authority to supplement the previous clauses as a result of the ECJ’s case law on US data transfers. It can therefore be assumed that supervisory authorities will very soon declare the use of US providers on the basis of old standard contractual clauses to be inadmissible.