- 9541 visitas
Keywords: standard contractual clauses – Commission Implementing Decision - cross border data flows – personal data processing – data protection – controller and processor’s responsibility.
Standard contractual clauses (SCC) constitute one of the legal bases that under Regulation (EU) 679/2016 allow data transfer towards third countries in the absence of an adequacy decision.[1] In particular, SCC are contractual obligations agreed by an exporter established in a Member State and an importer established in a third country.
On 4 June 2021, the European Commission adopted the Implementing Decision 914/2021/EU on standard contractual clauses for the transfer of personal data to third countries pursuant Regulation (EU) 679/2016.[2] The new framework of model clauses provided by the Decision aims both at facilitating international data transfers and at ensuring appropriate data protection safeguards.[3] The evolution of an increasingly globalized market, in which cross border data flows are necessary for the expansion of international trade, has led to the creation of data transfers chains characterised by a plurality of controllers and processors, where the principal transfer is followed by a series of subsequent transfers and, therefore, processing.[4] The new Decision addresses some of the most critical issues of previous models of standard contractual clauses: the contractual gap caused by the lack of regulation concerning data transfers chains, together with the non-derogable nature of the clauses.
The Decision 914/2021/EU is followed by an annex, which provides different models of clauses depending on the subjects operating the transfer. It also includes an appendix with an explanatory note, and three more annexes, which must be filled by the subject operating the transfer with the required information.
One of the major innovations of Decision 914/2021/EU concerns the structure of the SCC. To adapt to different scenarios and to the growing complexity of modern processing data chains, general clauses are combined with a modular approach. In addition to general clauses, controllers and processors shall select the module that fits their situation, “so as to tailor their obligations under the standard contractual clauses to their role and responsibilities in relation to the data processing in question”.[5] Such structure mirrors the aim of the Decision to allow a variety of subjects to adhere to standard contractual clauses, enabling further controllers and processors – as importers and exporters – to access the system of model contractual clauses for the entire duration of the data processing. The ratio of the approach of the contractual scheme is to adapt model clauses to various operations that may take place between importer and exporter of data, depending on their role in the transfer.
A total of four models of contractual clauses is provided. As for previous Decisions,[6] they are dedicated to transfers of data taking place between an exporter established in the territory of the European Union and an importer established in a third country. The Decision grants, for a plurality of parties, the possibility to “adhere or accede to a single set of contractual clauses, potentially limiting the number of separate contracts companies must sign when onboarding new vendors or service providers”.[7] Moreover, in the fourth model, the Commission takes into consideration for the first time transfers occurring between processors and from a EU processor to a controller established in a third country. For this reason, the fourth model has received appreciation by the European Data Protection Board and by European Data Protection Supervisor.[8]
The overall structure of this new model raises some challenges. Indeed, the possibility of interfacing different contractual forms within the same general model is likely to generate some uncertainties in its practical application.
In more general terms, the new Commission Decision appears to suggest a significant shift in the scope of application of the SCC. Art. 1 of the Decision on the scope of application of the model clauses states that “[t]he standard contractual clauses set out in the Annex are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of Regulation (EU) 679/2016 for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-)processor whose processing of the data is not subject to that Regulation (data importer)”.[9] This would mean that the clauses should be adopted only when Regulation (EU) 679/2016 is not directly applicable to the importer. As a consequence, the mechanisms to operate data transfers outside the European Union may not be necessary when data are transferred to a subject whose activities fall under art. 3(2) of Regulation (EU) 679/2016.[10] According to the European Data Protection Board, “the EDPB will also further asses the interplay between the application of the territorial scope of the GDPR as per Article 3 and the provisions on international data transfers as per Chapter V”.[11] Chapter V of the Regulation (EU) 679/2016 points out that the aim of personal data transfer mechanisms is to ensure an adequate level of protection of data. It therefore appears that such mechanisms should not be necessary when it is possible to directly apply EU data protection law.
While the new model of clauses provided by the Decision is surely able to update and redirect EU law in the light of new trade practices, it remains to be seen if the application of the clauses will, in practice, solve the critical issues raised by the previous systems of model clauses.
--------------------
European Papers, Vol. 6, 2021, No 3, European Forum, Highlight of 24 February 2022, pp. 1363-1365
ISSN 2499-8249 - doi: 10.15166/2499-8249/529
* PhD candidate, Università del Piemonte Orientale, chiara.bertoldi@uniupo.it.
[1] Regulation (EU) 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, art. 46.
[2] Decision 914/2021/EU of the Commission of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 679/2016 of the European Parliament and of the Council.
[3] Ibid. recitals 3 and 5.
[4] S Bonomi, ‘Standard Contractual Clauses: i punti salienti della nuova bozza pubblicata dalla Commissione Europea’ (26 February 2021) Cyberlaws www.cyberlaws.it.
[5] Recital 10 Decision 914/2021 cit.
[6] Decision 497/2001/EC of the Commission of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries pursuant Directive 95/46/EC; Decision 915/2004/EC of the Commission of 27 December 2004 amending Decision 497/2001/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries; Decision 87/2010/EU of the Commission of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
[7] C Fennessy, ‘New EU SCCs: a Modernized Approach’ (13 November 2020) International Association of Privacy Professionals iapp.org.
[8] European Data Protection Board and European Data Protection Supervisor, Joint Opinion 2/2021 on the European Commission’s Implementing Decision on standard contractual clauses for the transfer of personal data to third countries for the matters referred to in Article 46(2)(c) of Regulation (EU) 679/2016 of 14 January 2021, 9.
[9] Art. 1(1) Decision 914/2021 cit.
[10] Art. 3(2) Regulation (EU) 679/2016 cit.: “[t]his Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union”.
[11] European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of 16 November 2018, 22.