The European Commission’s Draft Standard Contractual Clauses: Key Takeaways

November 12, 2020Alerts

In the wake of the European Data Protection Board guidance on Post-Schrems II data transfers, which may render the question of using the clauses moot for some companies, the European Commission issued draft standard contractual clauses fit for the age of the General Data Protection Regulation (GDPR).

Key Takeaways

  • Very modular "fill in the annex" approach with modules for four scenarios: controller to controller, controller to processor, processor to processor and processor to controller.
  • Section on prevalence in the event of a conflict included.
  • Section on accession of new parties included. All you need is to fill in and sign the "list of parties" annex and amend the other annexes.
  • Explicit representation by exporter that it has used reasonable efforts to determine that the importer is able to satisfy its obligations under the clauses.
  • Parties are required to provide individuals with a copy of the clauses upon request. Redaction is permitted, but a summary is required if the redaction will cause the individual to misunderstand.
  • Transfers of special category data require additional protections.
  • Provisions included on GDPR concepts of accuracy, data minimization, storage limitation, information security, data breach notification, accountability.
  • Onward Transfer:
    • For controller-to-controller transfers, this is
      • transferee agrees to the clauses
      • is in an adequate country
      • appropriate safeguards under Article 46/47 are in place
      • transferee enters into an equivalent agreement
        OR
      • data subject provides explicit consent.
    • For the other modules, the circumstances are more limited, (e.g (1) third party signed the clauses; (2) Article 46/37 safeguards or (3) Article 45 adequacy).
  • Information security measures (in controller to processor module): specifically call out anonymization and pseudonymization — where this does not prevent fulfilling the purpose of the processing — for the additional information to remain under the exclusive control of the exporter and requires listing the provisions in an annex.
  • Extensive representations on the assessment of local law and that it won't prevent the parties from fulfilling their obligations.
  • Extensive representations on pushing back against public authorities' requests for disclosure of information (exhaust all available remedies to challenge the request).
  • Controller to controller and controller to processor portions are reminiscent of Article 26 and Article 28 agreements, respectively, and allow for detail and specificity for some component (e.g. the technical and organizational measures).
  • Specific provisions on redress for the individuals.
  • Liability: Each party is liable to the other party; liability between the parties is limited to actual damage suffered. liability to the data subject is joint and several.
  • Indemnification is provided for the part of the liability that corresponds to the other party's part of the responsibility.
  • Specific mention of the relevant supervisory authority with a vague provision for determining this for non-European Union entities.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with cross-border data transfer issues, contact Odia at [email protected] or 215.444.7313.