The European Commission clarifies its own Standard Contractual Clauses

On 25 May 2022, the European Commission released long-awaited guidance for the Standard Contractual Clauses (SCCs) adopted in June 2021. The Commission has developed Questions and Answers (Q&As) as a dynamic source of practical guidance on the use of SCCs. The Q&As respond to industry feedback on key practical aspects of the SCCs.

Background

On 4 June 2021, the Commission adopted a new set of SCCs, replacing the old SCCs which pre-dated the GDPR.  There was a need to bring the SCCs in line with the EU’s legal framework and ensure they were able to adapt to the realities of the digital economy.

In addition to following the requirements of the GDPR, the new SCCs also address the deficiencies identified in the Schrems II decision by incorporating critical provisions dealing with requests for access to data by public authorities.

The form and scope of the SCCs was also updated through the use of a modular structure, and the scope was extended to cover instances of processor to processor and processor to controller transfers (see here for details). With the Hogan Lovells SCC Tool, we provide a legal tech tool that helps selecting the appropriate module(s) and adjusting the SCCs to a particular transfer in just a few steps.

To deal with the specific circumstances of the UK, on 21 March 2021, the UK Parliament approved an addendum which enables the use of the EU SCCs as a transfer mechanism for transfers of personal data from the UK to third countries. 

Key points to note in the Q&As

Some of the most notable takeaways from the Q&As are as follows:

  • The SCCs are not suitable for data transfer to data importers whose processing operations are directly subject to the GDPR.  This is because the SCCs "duplicate and, in part, deviate from the obligations that already follow directly from the GPDR."  Accordingly, the Commission is developing an additional set of SCCs to use in this scenario, which will take into account the requirements that already apply directly under the GDPR. However, the Commission did not specify which data transfer mechanism data exporters can rely on in the interim.
  • Formalities for signatures is a matter for the national law governing the agreement.  The Commission does not directly address in the Q&As whether the SCCs need to be signed separately from any broader commercial contract between the parties. However, it acknowledges that the SCCs do not prescribe the requirements on how signatures should be formalised (e.g. if it can be done electronically or by reference to a signature of a broader agreement).  This leaves it open for companies to decide on the best approach, based on the national law governing the agreement.  
  • Incorporation of SCCs by reference is also subject to national laws. The Commission does not expressly endorse the approach of incorporation of SCCs by reference, as seems to be emerging as market practice in many commercial sectors, instead of including the full text of the SCCs into a broader commercial agreement. The Commission does however acknowledge that the approach is a matter of national law that governs the SCCs.  As a result, as long as the national law allows the parties to agree the SCCs in a binding manner by incorporating them, then the Commission's view in the Q&As does not seem to prevent such a practice.
  • Additional clauses and incorporation into a commercial contract.  In the Q&As, the Commission acknowledges that the SCCs can be supplemented with additional clauses and/or incorporated into a broader commercial contract as long as this approach does not contradict the SCCs.  This will be welcomed by those companies who are already taking this approach.  
  • Companies should explain to data subjects how they can obtain a copy of relevant SCCs.  According to the Q&As, the Commission expects data exporters to inform data subjects that the SCCs are used to transfer data and explain how to obtain a copy of the clauses.  Companies relying on the SCCs may therefore need to consider updating their privacy policies or other transparency notices to provide the required information. 
  • Calling out the significance of Processor to Controller clauses (module 4).  The Commission has provided examples of the scenarios where module 4 of the SCCs should be used, namely where a processor in the EEA is hired by a controller outside the EEA to (i) collect data in the EEA on behalf of the controller, or (ii) process data received from the controller in the EEA. In light of the Q&As which confirm that the SCCs are not suitable for controllers or processors whose processing operations are directly subject to the GDPR and since most global businesses would be considered within the territorial scope of the GDPR due to the wide reach of Article 3 of the GDPR, it remains to be seen the extent to which module 4 is actually applicable in practice.

… and some notable omissions from the Q&As

  • No news on transfer impact assessments. The performance of transfer impact assessments (TIAs) is one of the biggest challenges for companies when complying with the requirements for international data transfers. Some may therefore have expected more detailed guidance on TIAs under the SCCs. However, the Q&As more or less only refer to the already existing guidance of the EDPB on supplementary measures for international data transfers (see here for background).
  • No clear illustrations for the implementation of SCCs in more complex processing chain scenarios. While the Q&As explain how the SCCs can be applied for some standard transfer scenarios, they do not discuss the implementation in more complex scenarios, e.g. longer processing chains involving onward transfers from a data importer located in a country subject to an adequacy decision of the European Commission.

Implications for companies subject to the UK GDPR

Companies whose operations are subject to the UK GDPR are still awaiting the ICO's own transfer mechanism guidance to accompany the Addendum and IDTA that came into force in March 2021.  In the meantime, the Commission’s Q&As will remain a useful point of reference for all companies wanting to understand how to use SCCs in practice.

 

Authored by Katie McMullan, Henrik Hanssen and Eduardo Ustaran.

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.