Insights & news

Commission Adopts Model Clauses for International Transfers and Processor Agreements

  • 16/06/2021
  • Articles

On 4 June 2021, the European Commission published two Implementing Decisions with model clauses to comply with the General Data Protection Regulation (EU) 2016/679 (the GDPR).

The first decision is likely to have a more significant impact than the second for many organisations. The European Commission adopted new standard contractual clauses for the transfer of personal data to third countries outside the EU/EEA (the Transfer SCCs). Compared to the current SCCs, the new Transfer SCCs provide more flexibility in the situations that they cover and the parties that are covered by the clauses. In addition, the new Transfer SCCs provide more legal certainty in view of the recent case law of the Court of Justice of the European Union, including the Schrems II case. Organisations that rely on older versions of the SCCs for their international transfers now have 18 months to replace these with the new Transfer SCCs (or other measures that are permitted under the GDPR).

The second decision contains a set of model clauses that can be used between controllers and processors (the Processor Clauses). In particular, Article 28 of the GDPR requires data controllers to put in place a data processing agreement (or other legal act) when outsourcing data processing activities to a data processor, and sets forth the data protection obligations that must be covered by such data processing agreement. The use of the Processor Clauses is optional and organisations can still continue to use their own processor agreements, provided that these comply with Article 28 of the GDPR.

Please click on the link below to read our note on both sets of model clauses.

Attachments:

Key contacts

Related practice areas

Related insights

Sign up for updates
    • 30/11/2021
    • Newsletters

    VBB on Belgian Business Law, Volume 2021, No. 10

    The October 2021 issue of our Belgian Business Law newsletter reporting on the latest developments in a range of areas, including competition, data protection, intellectual property and labour law.

    Read more
    • 25/11/2021
    • Articles

    EDPB Explains Concept of International Transfers under GDPR and Discusses Interplay with Territorial

    On 19 November 2021, the European Data Protection Board (the EDPB) published Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the General Data Protection Regulation (the GDPR) (the Guidelines) for public consultation. The Guidelines are intended to clarify which international transfers of data fall within the scope of Chapter V of the GDPR and therefore require safeguards or other measures to ensure protection of the personal data that are being transferred. In addition, the EDPB calls on the European Commission to adopt a new set of Standard Contractual Clauses for cases where the importer established in a third country is already subject to the GDPR on the basis of the application of GDPR to non-EU based organisations under Article 3(2) of the GDPR. First, the Guidelines set out when a processing constitutes a “transfer of personal data to a third country or to an international organisation” (a Transfer) which triggers the application of the provisions of Chapter V of the GDPR. The Guidelines provide three cumulative criteria that, when satisfied, means a processing qualifies as a Transfer: thus, data must be sent or made available: (i) by a controller or a processor (i.e., an exporter), which, regarding the given processing, is subject to the GDPR pursuant to Article 3 (i.e., the territorial application of GDPR); (ii) to a different controller, joint controller or processor (i.e., an importer); (iii) which is in a third country, regardless of whether or not this importer is subject to the GDPR in respect of the given processing. The Guidelines further describe each criterion, providing some practical examples. Moreover, the Guidelines stress that Chapter V of the GDPR also applies to transfers or disclosures of personal data carried out by controllers or processors which are not established in the European Union (EU) but are subject to the GDPR pursuant to Article 3(2) because they: (a) offer goods or services to data subjects in the EU; or (b) monitor the behaviour of data subjects in the EU, to another controller or processor. By contrast, if the three cumulative criteria identified by the Guidelines are not met, there is no Transfer and Chapter V of the GDPR does not apply. For instance, the Guidelines explain that a situation whereby a controller in a third country collects data directly from data subjects in the EU does not constitute a Transfer. However, in such a case, the EDPB makes it clear that the controller or processor which is subject to the GDPR under Article 3 is still accountable for all processing that it controls, regardless of where such processing takes places, and that the risks of data processing in third countries must still be managed in order to comply with the GDPR. Second, the Guidelines outline that where all the above criteria are met, the processing will be considered to be a Transfer and the exporter must comply with the conditions laid down in Chapter V of the GDPR. This means that the controller or processor must use the instruments that aim to protect personal data after they have been transferred to a third country or to an international organisation. These instruments include: • the existence of an adequate level of protection in the third country or international organisation, pursuant to Article 45 of the GDPR or, in the absence of such adequate level of protection; • the implementation by the exporter of appropriate safeguards, pursuant to Article 46 of the GDPR (i.e., standard contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, ad hoc contractual clauses, international or administrative agreements); or • derogations under Article 49 of the GDPR. In that regard, the Guidelines explain that the content of these safeguards must be customised based on each situation. When controllers and processors develop relevant transfer tools, such as Standard Contractual Clauses, they must take account of Article 3(2) so as not to duplicate the GDPR obligations, but rather to address what is missing and hence, fill the gaps. For example, such tools must address the measures to be taken in cases of a conflict of laws between third country legislation and the GDPR. In line with this approach, the EDPB encourages the development of a transfer tool for those cases where the importer is subject to the GDPR for a given processing pursuant to Article 3(2). The Guidelines can be consulted here and are subject to public consultation until the end of January 2022.

    Read more
    • 26/10/2021
    • Newsletters

    VBB on Belgian Business Law, Volume 2021, No. 9

    The September 2021 issue of our Belgian Business Law newsletter reporting on the latest developments in a range of areas, including competition, data protection, intellectual property and labour law.

    Read more

Subscribe to our updates

Please select the practice areas you are interested in: *