The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted joint opinions on two sets of new standard contractual clauses (SCCs) for transfers of personal data outside the European Economic Area (EEA).
The new standard contractual clauses will govern the transfer of personal data outside the EEA and aim to ensure full harmonization and legal certainty across the EU regarding contracts between data controllers and their data processors.
The EDPB and EDPS welcomed the new SCCs but called for several changes to be adopted from the draft new standard contractual clauses published by the European Commission and submitted to the EDPB and EDPS for advice.
Based on the press release, Andrea Jelinek, chair of the EDPB, said, “The EDPB and EDPS welcome SCCs between controllers and processors as a single, strong, and EU-wide accountability tool that will facilitate compliance with the provisions of both the GDPR and EUDPR. Among other things, the EDPB and EDPS call for sufficient clarity to be provided to parties on the situations in which they can rely on these SCCs and emphasize that situations involving transfers outside the EU should not be excluded.”
Apparently, the requested changes are numerous and concern, among others, the so-called “docking clause” that allows additional parties to join SCCs and data processors’ obligations. Besides, the EDPB and EDPS suggest that the annexes to the SCCs clarify as much as possible the roles and responsibilities of each party concerning each processing activity because any ambiguity would make it more difficult for controllers or processors to fulfill their obligations under the accountability principle.
The draft standard contractual clauses will govern transfers of personal data outside the EEA to replace the current SCCs, taking into account changes introduced not only through the GDPR but also the CJEU’s “Schrems II” ruling, and to better reflect the widespread use of new and more complex processing operations that often involve multiple data importers and exporters.
The new SCCs do not resolve the issues around data transfers outside the EEA generated by the Schrems II ruling. In fact, the EDPB and EDPS indicate that, concerning specific transfers of personal data to third countries, the additional measures outlined in the EDPB’s recommendations that were the subject of the consultation in which DLA Piper participated with the contribution available HERE may be necessary.
This position statement shows how it remains essential to perform a transfer impact assessment in relation to any transfer of personal data outside the EEA, and the most convenient way to do so is – in our opinion – through the legal tech tool developed by DLA Piper, which I covered in this article “Do you have a data transfer methodology based on the Schrems II decision?“.
Image courtesy Thomas Hawk