Entities transferring personal data outside the European Economic Area on the basis of standard contractual clauses that are no longer in force (where the transfer began before 27 September 2021) should conclude agreements based on new clauses by 27 December 2022.
Under the General Data Protection Regulation, the transfer of personal data to “third countries” (outside the European Economic Area) is only permitted if the conditions set forth in the GDPR are met, i.e. generally when:
- The transfer is made to a country which the European Commission has determined provides an adequate degree of protection (i.e. it has issued an adequacy decision—decisions issued so far are available on the European Commission website)
- If there is no adequacy decision, then adequate safeguards are provided, including in the form of conclusion of an agreement based on standard contractual clauses between the entities involved in the transfer
- If there is no adequacy decision or adequate safeguards, then one of the special circumstances specified in the GDPR applies.
New standard contractual clauses and transition period
In June 2022, the European Commission adopted new sets of standard contractual clauses regarding the transfer of personal data to third countries. The following clause modules are available:
- Controller–controller, concerning the transfer of data from a data controller from EEA territory to a third-country data controller
- Controller–processor, concerning the transfer of data from a controller from EEA territory to a third-country data processor
- Processor–processor,concerning the transfer of data from a processor from EEA territory to a third-country processor
- Processor–controller, concerning the transfer of data from a processor from EEA territory to a third-country controller.
On 27 September 2021, the Commission’s previous decisions establishing model standard contractual clauses, namely Decision 2001/497/EC and Decision 2010/87/EU, expired.
In adopting a new set of standard contractual clauses, the Commission decided that a transitional period will be in effect until 27 December 2022, during which controllers and processors can, in principle, base transfers of personal data to third countries on previous versions of the standard contractual clauses under which they entered into contracts before 27 September 2021 (provided that the processing operations subject to the contract remain unchanged and that use of the previous version of the clauses ensures that the transfer of personal data is subject to adequate safeguards).
As of 27 September 2021, new contracts related to data transfers outside the EEA had to be concluded using the new standard contractual clauses adopted by the Commission in June 2021.
In practice, this means that entities transferring personal data outside the European Economic Area on the basis of standard contractual clauses that are no longer in force (where the transfer began before 27 September 2021) should conclude agreements based on the new clauses (after analysing which of the four modules is the appropriate one) by 27 December 2022.
Time to check GDPR compliance
Failure to conclude agreements based on the new standard contractual clauses could lead to a situation in which transfers are made without adequate safeguards, and therefore in violation of the GDPR. In turn, this could expose entities making such transfers to the risk of legal liability, including imposition of an administrative fine by the supervisory authority.
Conclusion of agreements based on the new standard contractual clauses will be a good opportunity to review the transfers being made and verify whether they are permissible at all, whether they are taking place on the right basis, whether the descriptions are up-to-date, and whether adequate safeguards are provided. Importantly, just because an entity made such a verification during implementation of the GDPR in 2018 does not necessarily mean that transfers are still being conducted correctly and adequately.
Making appropriate updates and documenting them may be needed especially in the context of the relatively fresh requirements that have emerged for data transfers outside the EEA following the ruling of the Court of Justice in C-311/18, Schrems II, on verification of the need to implement possible supplementary measures in addition to the inclusion of standard contractual clauses.
The new standard contractual clauses contain more detailed provisions than previous versions of the clauses, and some optional decisions. The wording of these decisions depends on the arrangements of the parties, which may require business judgment to some extent.
It is not worth postponing these steps for the purpose of concluding agreements based on the new standard contractual clauses until the last moment, as these activities, in particular analysis and description of transfers, as well as reaching the final wording of the agreement between the parties, may prove quite time-consuming in practice.
Karolina Romanowska, Łukasz Rutkowski