- What are the new standard contractual clauses for the transfer of personal data to third countries adopted in June 2021 by the European Commission?
It is a model contract that includes standard contractual clauses that can be used when an entity subject to the GDPR intends to transfer personal data to a third country that does not ensure an adequate level of protection, in order to ensure the appropriate safeguards required by the GDPR.
- Which cases of transfers are regulated?
The new clauses include four different transfer scenarios to reflect the complexity of modern processing chains by giving businesses the opportunity to choose each time which section applies and governs each transfer depending on their role in the processing. The correct (in fact and in law) identification of the role played by the business in the processing is an exercise that raises significant legal challenges and requires experienced legal assistance. The four sections included in the clauses are as follows:
- From Controller to Controller
- From Controller to Processor
- From processor to processor
- From processor to processor to processor
- When should businesses start using the new standard contractual clauses?
In all contracts concluded from 27 September 2021 onwards. For contracts entered into before 27 September 2021, the new clauses provide for a transitional period of 18 months from their entry into force (27-06-2021) for the replacement of the previous standard contractual clauses with the new ones (unless the business makes a change to the processing covered by the older contractual clauses before the cut-off date (27-12-2022), in which case the replacement must be made at that earlier point in time).
- Is the use of the standard contractual clauses alone sufficient to ensure the lawfulness of a transfer of personal data to a third country?
The mere use of the standard contractual clauses does not exhaust the requirements for ensuring the lawfulness of a transfer of personal data to a third country. This includes, inter alia, the implementation of other regulatory compliance actions (such as carrying out an impact assessment for the data transfer, taking additional measures when necessary, etc.) and the obligation for the business to comply with the general requirements of the applicable legislation as Data Controller or Processor.
- What else should a company take into account when formulating its strategy on international transfers?
A transfer of personal data to a third country is a complex processing operation, the legality of which requires the assistance of the appropriate parts of the business to ensure that all the necessary procedural and legal steps, including the drafting of appropriate legal documents, have already been taken before the transfer takes place in order to ensure the uninterrupted business continuity of the business under the new standard contractual clauses.