Background

With the 27 December 2022 deadline for updating data transfer contracts with the EU SCCs fast approaching, this alert mines European Commission guidance, as well as the team’s experience, and offers some tips for successful implementation.

On 25 May, the European Commission published guidance on the use of two new sets of standard contractual clauses (“SCCs”), including the modular set of clauses governing transfers (link to our webinar here) (“EU SCCs”). The guidance took the form of a series of questions and answers (“Q&As”) to offer practical guidance on how to use the SCCs in order to assist organisations meet their compliance efforts under the EU General Data Protection Regulation (“GDPR”).

Key points to note

1. Signature requirements. The parties to the SCCs must enter into a legally binding agreement to abide by them, fill in the annexes to the SCCs (“Annexes”) and sign Annex I. The Q&As do not prescribe how the signature should be formalised (e.g. whether electronic signatures or references to a signature of a broader commercial contract are acceptable). The parties can therefore choose their preferred approach, provided that it meets relevant national law requirements to ensure a binding agreement. 
2. Incorporation by reference. We see this approach increasing in popularity and, considering the length of the EU SCCs, that is hardly surprising! The Q&As affirm that both kinds of SCCs can be incorporated by reference into a broader commercial contract, provided that such incorporation is done in accordance with national law requirements.  If doing so, it is particularly important the parties ensure they still provide the information required by the Annexes and specify (in the broader commercial contract) which modules, options and specifications have been chosen. Certainty of terms is still a contractual requirement. 
3. How to use the “docking clause”. The “docking clause” is an optional clause, which provides a streamlined way to add new parties to a set of executed SCCs in the future, with the consent of all the pre-existing parties. The Q&As confirm that the formalisation of such consent is not regulated by the SCCs, but should be done in accordance with national law requirements. For example, if allowed under applicable contract law, one party may be appointed by the others to agree to the accession of a new party on behalf of all pre-existing parties. Once authorisation is formalised, the new party will need to complete the Annexes and sign Annex I in order to make the accession effective. Important to note is the Commission’s view that amending the main agreement to which the SCCs are annexed, by adding parties to that agreement, is not effective (of itself) to add those parties to the SCCs. When executing the EU SCCs, particularly in an intra-group context, including the docking clause may be useful.  
4. Not for use where importers are subject to the GDPR. The EU SCCs cannot be used for data transfers to importing controllers or processors outside of the EEA whose processing operations are subject to the GDPR by virtue of the extra-territorial application of the GDPR. This is because doing so would duplicate and, in part, deviate from the obligations that already apply to them directly under the GDPR. The Commission has confirmed that it is in the process of developing an additional set of SCCs for this scenario, however, it is not yet clear when these will be available. 
5. You can use multiple modules together in one agreement. Where the parties assume different roles for different data transfers taking place between them as part of their overall contractual relationship, they can and should use the appropriate module for each such transfer. The Q&As confirm that multiple modules may be agreed between the same parties at the same time, rather than them having to enter into multiple separate agreements. Again, this is consistent with what we see occurring in practice. 
6. Data processing terms are built in for transfers to processors.The requirements of Article 28 of the GDPR have been incorporated into Module 2 (controller-to-processor transfers) and 3 (processor-to-processor transfers) of the EU SCCs. By using these modules, controllers and processors do not need to enter into a separate data processing agreement.
7. Providing copies to data subjects. The Q&As include a reminder that data subjects are entitled to receive a copy of the EU SCCs “as they have been used”, including the modules/options as selected and the completed and signed Annexes. The Q&As make it clear that a general reference to the EU SCCs used (e.g. by the provision of a link to the Commission’s website) will not be sufficient for such purposes. It is permitted to redact information that concerns business secrets or other confidential information (e.g. personal data of other individuals), but an explanation should be provided as to why it was left out. If the remaining text becomes too difficult to understand, the parties must provide a meaningful summary of the redacted parts. This is something that organisations will need to consider when contemplating incorporation by reference. 
8. Limitations of liability. The EU SCCs regulate the liability of the parties as between themselves and towards data subjects. It is a fundamental principle that reliance on the EU SCCs is permitted on the basis that the broader commercial contract cannot contradict or undermine the EU SCCs liability schemes. The Q&As clarify that this only applies to liability for violations of the EU SCCs themselves, which means the parties can still limit liability for breaches of the data protection provisions in the broader commercial contract, subject to national law requirements, provided that the limitation does not apply to liability arising under the EU SCCs.
9. Effect of termination on other contractual arrangements. The Q&As clarify that the right to terminate the EU SCCs under clause 16 is limited to the parts of the contract that concern the processing of personal data. The effect of the termination of the EU SCCs on the wider commercial contract, in particular whether the data exporter will have a right to terminate the entire contractual relationship, will therefore be determined by the arrangements agreed to in the wider contract, as well as the law applicable to it. Organisations should therefore consider what termination rights to include in the wider contract. 
10. Recognition of the EU SCCs by other jurisdictions. The Commission notes that the EU SCCs can also have a role to play in terms of data exports from non-EEA countries, citing their endorsement by the UK and Switzerland, with limited formal adaptations to comply with domestic law.

Transfer Risk Assessments (“TRAs”)

Deployment of the EU SCCs requires the carrying out (and documentation) of a TRA (also called a TIA).  This requirement continues to be a burden for organisations using EU SCCs (see our alert here). There is no new guidance in relation to TRAs, but the Commission makes clear in the Q&As that the parties should continue to take into account the guidance of the European Data Protection Board’s (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (18 June 2021)).

Implications for the United Kingdom – the clock is ticking here, too!

While the SCCs do not form part of retained EU law, the Q&As may also be of assistance to users of the ICO's new transfer tools which came into force on 21 March 2022.  Of particular note is the UK’s international data transfer addendum which attaches to and incorporates the EU SCCs. This is because, in practice, organisations with a presence in the EEA and the UK are typically adopting a combination of the EU SCCs and the UK addendum when documenting their data transfers to third countries, rather than opting for separate EU-outbound and UK-outbound agreements. 

With the longstop date for replacing UK transfer clauses still some way off (21 March 2024), companies could be forgiven for thinking there is ample time to ‘re-paper’ such arrangements. However, in practice many global organisations (supplier side and customer side) are choosing to update their international transfers paperwork now and at a single stroke (combining EU SCCs and the UK addendum, as described). This means that the repapering of UK outbound transfers is being accelerated in practice.

[View source.]