On 4 June 2021, the European Commission published a new set of standard contractual clauses aimed at providing adequate safeguards for the transfer of personal data to a non-EEA country in the absence of an adequacy decision by the European Commission for that country (“new CCTs”). [17] The new CLAs are based on the old ones and should therefore be used “as is”. [18] However, the new SCAs are more comprehensive than the previous CCSs and are intended to provide parties with flexibility to deal with complex data transfer scenarios. US companies that receive personal data from EEA subjects should not rely on their European counterparts to ensure that their data transfer agreements meet the requirements of the new CLAs in a timely manner. Instead, these U.S. companies should act immediately: the new SCCs were released on September 4. June, but will not enter into force until 20 days after official publication in the Official Journal of the European Union (date of entry into force). This is expected to happen in the coming days. The Standard Contractual Clauses for Data Protection Authorities adopted by the European Commission on 4 June 2021 therefore aim to provide a single, prima facie legal DPA on which companies and organisations can rely and execute to govern their relationship between the controller and the processor. The EC`s adequacy decision concerning the United Kingdom is not yet final. Recently, the European Parliament invited the European Commission to amend its draft decision on the adequacy of the United Kingdom, reiterating the concerns of the European Data Protection Board regarding the UK`s surveillance and mass data retransmission practices, as well as some of its international data exchange agreements. The European Parliament resolution called on Member States` data protection authorities to suspend the transfer of personal data to the UK if the adequacy decision is implemented without review.
Following the Brexit transition period, which ended on 31 December 2020, the EU and the UK agreed to postpone data transfer restrictions for up to six months. The ICO has recommended that UK companies receiving personal data from the EEA set up alternative transfer mechanisms by the end of April 2021. With the transition period ending quickly at the end of this month and no final adequacy decision, companies should consider whether they should reconsider their transfers between the EEA and the UK. The new CBAs largely follow the draft Implementing Decision on Standard Contractual Clauses (draft CLAs) published by the European Commission on 12 November 2020, but there are some key differences. In fact, the important and extensive new requirements of CCAs for data importers acting as controllers (e.B. Obligations to notify data subjects and report personal data breaches to EU authorities, but have been more closely aligned with the requirements of the GDPR. As we have seen recently, when the GDPR and the California Consumer Privacy Act (CCPA) came into force, the introduction of new requirements and the implementation of data protection provisions in various contractual relationships can take a long time. For more information on the new CCAs, compliance or other questions on this topic, please contact the authors or Mark Melodia, Chair of Holland & Knight`s Data Strategy, Security and Privacy team. The 4. In June 2021, the Executive of the European Union (EU), the European Commission (EC), published its new Standard Contractual Clauses (SCAs) for cross-border data transfers compliant under the EU`s General Data Protection Regulation (GDPR), ending a long wait for revised CTCs. The new CLAs solve some of the practical problems that companies faced when using the old versions, but at the same time introduce new obligations for companies that transfer personal data from the EU. The European Commission has also published a number of CBAs to comply with the requirements of Article 28 of the GDPR for the transfer of personal data from the controller to the processor within the European Economic Area (EEA).
This blog post focuses on CCTs designed for the cross-border transfer of personal data. The 4. In June 2021, the Commission published two new CBAs. The first sentence replaces the old CLAs for cross-border data transfers to third countries. The second sentence is intended to be used between controllers and processors – previously, organisations had to create their own contractual conditions to fulfil the obligations between the controller and the processor under the GDPR, which is likely to bring much more uniformity to these relationships. Under the GDPR, the European Commission has the power to adopt implementing acts, in particular: (i) the creation of standard contractual clauses for data protection authorities between controllers and processors and between processors and sub-processors (Article 28(7) GDPR) and (ii) the creation of standard contractual clauses as appropriate protection for the transfer of personal data to third countries (Article 46(2)(a) GDPR). These will replace the old 2010 Standard Contractual Clauses. The new clauses reflect changes implemented with the eu`s new data protection law, the General Data Protection Regulation (GDPR) of 2018. The GDPR restricts the types of personal data that can be legally transferred.
The new standard contractual clauses require companies to provide their employees with more information about data transfers than before under the GDPR. “Multinational employers with employees in the EU may need to review and redistribute the data processing notices they have previously provided to employees,” Gordon confirmed. The standard contractual clauses for data protection authorities contain all the elements referred to in Article 28 of the GDPR for the validity of the controller and processor agreements. In some sections, they leave the parties some leeway, for example by providing two options for the use of sub-processors (i.e. specific prior authorisation or general written authorisation). In addition, the European Commission`s Implementing Decision stipulates that the established standard contractual clauses may be used by the parties in whole or in part within the framework of their own data protection authorities or as part of a wider contract. So far, it has published two sets of standard contractual clauses for the transfer of data controllers in the EU to controllers based outside the EU or the European Economic Area (EEA). EU companies, especially those dealing with US companies that have been in a standby situation since the Schrems II judgment of July 2020, are advised to consider starting contract extensions using the new CLAs. .
. .