It’s time to renew your data transfer clauses in the EU! Here are some tips for ‘reupholstering’ | Bryan Cave Leighton Paisner
As the 27 December 2022 deadline for updating data transfer contracts with EU SCCs is fast approaching, this alert draws on guidance from the European Commission, as well as the experience of the team, and offers some tips for a successful implementation.
On May 25, the European Commission published guidance on the use of two new sets of standard contractual clauses (“CCS”), including the modular set of clauses governing transfers (link to our webinar here) (“EU CCS”). The advice took the form of a series of questions and answers (“Questions and answers”) to offer practical guidance on how to use CSCs to help organizations meet their compliance efforts under the EU General Data Protection Regulation (“GDPR”).
Key points to note
- Signature Requirements. SCC parties must enter into a legally binding agreement to comply, complete SCC annexes (“Appendices”) and sign Annex I. The questions and answers do not prescribe how the signature should be formalized (for example, whether electronic signatures or references to signing a larger commercial contract are acceptable). The parties can therefore choose the approach they prefer, provided that it meets the requirements of applicable national law to ensure a binding agreement.
- Incorporation by reference. We see this approach gaining popularity and, given the duration of EU CSCs, it is hardly surprising! The Q&A asserts that both types of CSCs can be incorporated by reference into a larger commercial contract, provided that such incorporation is done in accordance with the requirements of national law. In this case, it is particularly important that the parties ensure that they always provide the information required by the annexes and specify (in the wider commercial contract) which modules, options and specifications have been chosen. Certainty of terms remains a contractual requirement.
- How to use the “anchor clause”. The “Docking Clause” is an optional clause, which provides a simplified way to add new parts to a set of SCCs executed in the future, with the consent of all pre-existing parts. The questions and answers confirm that the formalization of such consent is not regulated by CPCs, but must be carried out in accordance with the requirements of national legislation. For example, if permitted by applicable contract law, one party may be appointed by the others to accept the membership of a new party on behalf of all pre-existing parties. Once the authorization has been formalized, the new party must complete the annexes and sign Annex I in order to make the membership effective. It is important to note that the Commission is of the view that amending the main agreement to which the SCCs are annexed, by adding parties to that agreement, is not effective (in itself) to add those parties to the SCCs. When performing EU SCCs, especially in an intra-group context, including the docking clause can be helpful.
- Not for use where importers are subject to GDPR. EU SCCs cannot be used for data transfers to importing controllers or processors outside of the EEA whose processing operations are subject to the GDPR under the extraterritorial application of the GDPR. Indeed, this would amount to duplicating and, in part, deviating from the obligations that are already directly applicable to them under the GDPR. The Commission has confirmed that it is developing an additional set of CSCs for this scenario, but it is not yet known when these will be available.
- You can use several modules together in one contract. Where the parties assume different roles for different data transfers taking place between them under their overall contractual relationship, they can and should use the appropriate module for each such transfer. The questions and answers confirm that several modules can be agreed between the same parties at the same time, rather than having to enter into several separate agreements. Again, this is what we see happening in practice.
- Data processing terms are incorporated for transfers to processors.The requirements of Article 28 of the GDPR have been integrated into Modules 2 (transfers from controller to processor) and 3 (transfers from processor to processor) of the EU SCCs. By using these modules, controllers and processors do not need to enter into a separate data processing agreement.
- Provide copies to affected individuals. The Q&A includes a reminder that data subjects are entitled to receive a copy of the EU SPCs “as used”, including modules/options selected and annexes completed and signed. The questions and answers clarify that a general reference to the EU CSCs used (eg by providing a link to the Commission’s website) will not be sufficient for these purposes. It is permitted to delete information concerning trade secrets or other confidential information (for example, the personal data of other people), but an explanation must be provided as to why it was omitted. If the rest of the text becomes too difficult to understand, parties should provide a meaningful summary of the redacted portions. This is something organizations will need to consider when considering incorporation by reference.
- Limitation of Liability. EU CPCs regulate the parties’ liability to each other and to data subjects. It is a fundamental principle that the use of EU SCCs is permitted on the basis that the broader commercial contract cannot contradict or undermine EU SCCs liability regimes. The questions and answers clarify that this only applies to liability for breaches of the EU SCCs themselves, which means parties can always limit liability for breaches of data protection provisions in the wider commercial contract, subject to the requirements of national law, provided that the limitation does not apply to liability arising from EU SCCs.
- Effect of Termination on Other Contractual Arrangements. The questions and answers clarify that the right to terminate EU CSCs under clause 16 is limited to those parts of the contract which relate to the processing of personal data. The effect of the termination of the EU CSCs on the wider commercial contract, in particular whether the data exporter will have the right to terminate the entire contractual relationship, will therefore be determined by the provisions agreed in the contract. broader, as well as by the law which is applicable to it. Organizations therefore need to consider what termination rights to include in the larger contract.
- Recognition of EU CSCs by other jurisdictions. The Commission notes that EU CSCs may also have a role to play in terms of exporting data from non-EEA countries, citing their approval by the UK and Switzerland, with limited formal adaptations to comply to national law.
Transfer Risk Assessments (“TRAs”)
The deployment of EU SCCs requires the completion (and documentation) of a TRA (also known as TIA). This requirement continues to be a burden for organizations using EU CSCs (see our alert here). There is no new guidance on TRAs, but the Commission makes clear in the Q&A that parties should continue to take into account the guidance of the European Data Protection Board (Recommendations 01/2020 on measures that complete the transfer tools to ensure compliance with the European level of protection of personal data (June 18, 2021)).
Implications for the UK – time is running out here too!
Although SCCs are not part of retained EU law, the Q&As may also be useful to users of the new ICO transfer tools which came into effect on March 21, 2022. It should be noted in in particular the UK’s International Data Transfer Addendum which attaches to and incorporates EU CSCs. Indeed, in practice, organizations operating in the EEA and the UK generally adopt a combination of the EU SCCs and the UK Addendum when documenting their data transfers to third countries. , rather than opting for separate EU and UK data transfers. outgoing agreements.
With the deadline for replacing transfer clauses in the UK still a long way off (March 21, 2024), companies could be forgiven for thinking there’s enough time to ‘rewrite’ such deals. However, in practice, many global organizations (supplier side and customer side) choose to update their international transfer documents now and all at once (by combining the EU SCCs and the UK addendum, such as describe). This means that the rekeying of transfers out of the UK is accelerating in practice.