The European Commission published, on Friday 13 November, two draft decisions to update the standard contractual clauses in the light of the General Data Protection Regulation (2016/679). One relates to the processing of personal data by a subcontractor; the other relates to contractual clauses associated with the transfer of personal data to non-Member States.
These proposals can be commented on for 4 weeks, until 10 December (feedback mechanism). So far, about 10 comments have been submitted by stakeholders.
Consequences of the Schrems II judgment
In his speech to MEPs in September, Commissioner for Justice Didier Reynders said that he had been working on this modernisation for many months (see EUROPE 12552/11). However, the Schrems II judgment has made these new provisions even more necessary.
July this year, the EU Court of Justice invalidated the EU-US Privacy Shield on the grounds that it did not offer the necessary guarantees of protection (see EUROPE 12529/2). It also stated that the transfer of personal data to non-Member States should be stopped when the requirements of the standard contractual clauses were not met.
The draft decision for implementing standard contractual clauses for the transfer of personal data to non-Member States updates Decisions 2001/497/EC and 2010/87/EU. It “combines general clauses with a modular approach, in order to cover the different transfer scenarios [between supervisory and processing authorities, editor’s note] and the complexity of the modern processing chain”.
Transfer to non-Member States
Clause 3 draws lessons from the Schrems II judgment by providing for new obligations for the importer of data subject to a request for access by their government. For example, the government should promptly inform the data exporter (and, where possible, the person to whom the data belong) when they receive a binding request for access or when they become aware of direct access by that government.
If the importer is not entitled to do so under their country’s rules, they must undertake to make every effort (“best efforts”) to ensure that the ban is lifted with a view to providing as much information as possible. Depending also on the rules of the non-Member State, the importer must undertake to provide the exporter, at regular intervals, with as much information as possible on the requests received (number of requests, by whom, type of data requested, etc.) The importer must also undertake to examine the legality of such applications and to challenge them, if necessary.
The draft decision, which will apply as soon as it is adopted, introduces a transition period of 1 year, during which the old clauses remain valid, provided that the contract remains unchanged.
Subcontracting
For the first time, the Commission also proposes to introduce standard contractual clauses for contracts between controllers and processors located in the EU. These new clauses should be read while keeping in mind the GDPR and Regulation 2018/1725 on the processing of personal data by the EU institutions and bodies.
Links to the draft decisions: https://bit.ly/3lOBr89 and https://bit.ly/2ILr5qD (Original version in French by Sophie Petitjean)