THE COLLECTIVE AGREEMENTS are only valid if they can ensure that personal data is protected in accordance with a standard that complies with the GDPR and the EU Charter of Fundamental Rights. This customer alert is intended to help explain the possible uses of these new standard contractual clauses. Standard Contractual Clauses (SCCs) are an important means of ensuring the legal and secure transfer of personal data from the European Economic Area (EEA) to “third countries” (non-EEA countries). Some state surveillance is acceptable in this context. For example, when security services must request an arrest warrant before requesting personal data from a company. Unfortunately, some U.S. surveillance laws do not meet this standard. The EU CTS only apply if a data exporter is subject to the GDPR (which may extend to exporters outside the EU in certain circumstances and due to the additional provisions of the GDPR relating to territoriality). They can also only be used for data transfers when the data importer is not subject to the GDPR. (The idea is that an adequate level of data protection should already be in place, as the importer is already subject to the GDPR due to the provisions on additional territoriality in Article 3(2).) However, this is not compatible with issues such as the ability of third-country authorities to access the data).
However, as the recent Schrems cases show, THE SCAs do not really circumvent these concerns either, and the practical idea when data is transferred from the EEA (whether to an entity that falls on the basis of extraterritoriality or to an entity that has signed the CLAs) is that data should only be transferred when necessary – should be minimised as much as possible, and an assessment of appropriate additional security measures should be considered. In general, the new CTCs represent an improvement over previous standards, as they offer greater flexibility for long and complex processing chains and a “single point of entry that covers a wide range of transfer scenarios”. (See press release “European Commission adopts new tools for secure exchange of personal data”, 4. June 2021.) On the one hand, the standard contractual clauses for data protection authorities aim to provide an optional set of clauses that controllers and processors can use to perform contracts in accordance with Article 28 of the GDPR. However, each data protection authority is directly subject to Article 28 of the GDPR and does not require the use of clauses approved by the European Commission or EU supervisory authorities to be valid. In addition, many supervisory authorities have published and published similar DPA templates in order to provide guidance to controllers and processors.  However, the standard contractual clauses for data protection authorities adopted by the European Commission may offer additional convenience to companies and organisations involved in the cross-border processing of personal data that cannot rely on the guidelines of their (lead) supervisory authority. Standard Contractual Clauses (SCCs) aim to protect personal data leaving the EEA and therefore to countries that do not have an adequacy decision and therefore may not provide the same level of security for personal data.
The CCT guarantees through contractual obligations that the data is protected to a level required by the GDPR. The updated CLAs allow more than two parties to comply with the terms of the contract with the CLCs and allow other controllers and subcontractors to “join the standard contractual clauses as exporters or importers of data throughout the life cycle of the contract of which they are a part”. This more complex contractual “ecosystem” was not taken into account by the former CCTs. In this context, the European Commission launched the process of adopting these standard contractual clauses on 12 November 2020 with the adoption of draft implementing decisions for new CBAs and standard contractual clauses for DPAs. The decisions adopted on 4 June 2021 take into account the joint opinion of the European Data Protection Board (EDPS), feedback from stakeholders and the views of Member States` representatives. You can add additional clauses, and in fact you may have to do so (as we will see below), but these should not conflict with the CCTs. Under the new CBAs, the European Commission has adopted a single set of clauses in a contract comprising three types of provisions: (i) fixed clauses that must remain unchanged regardless of the parties implementing the new CLAs; (ii) the modules to be added/removed from the final contract, depending on the parties performing the new CLCs (C2C, C2P, P2C and P2P) and their choice from the available options; and (iii) empty clauses and annexes to be completed and supplemented by the parties with relevant information (e.B categories of data transmitted, data subjects, etc.). The 4. In June 2021, the European Commission adopted two implementing decisions containing standard contractual clauses for the processing and transfer of personal data in accordance with the General Data Protection Regulation (“GDPR”).  In particular, these decisions require exporters to apply strong encryption to personal data and include additional contractual clauses that require the importer not to disclose the data to the U.S. government. As expected, the updated CLCs also include strong protection for those affected.
The general responsibilities of the data exporter under the GDPR include providing data subjects with information about the intention to transfer their personal data, including the categories of personal data processed, the right to obtain a copy of the Standard Contractual Clauses, and any disclosure. . . .