21.09.2020
What are SCCs or standard contract clauses?
The Standard Contractual Clauses (SCCs) on data protection allow international data transfers. Their use is established by Article 46 of the GDPR. They are usually used in the absence of a data protection adequacy decision between countries. However, the prohibition of transfers carried out through SCC by the control authorities is allowed in two cases.
Some companies when hiring foreign services will wonder what SCCs or standard clauses are. For the transfer of data at an international level they are not only common but practically indispensable clauses.
Contacto No te quedes con la duda, contacta con nosotros. Estaremos encantados de atenderte y ofrecerte soluciones.Definition
Standard contract clauses are those standardized clauses that have been adopted by the European Commission or a supervisory authority. They are regulated by various Commission decisions. Specifically, four decisions, No 2016/2297/EU amending the 2010/87/EU, as well as Decision 2004/915/EC amending the 2001/497/EC. In addition, the Data Protection Regulation (GDPR) provides for their use in art. 46 GDPR. They are a way to allow the transfer of data between European Union countries and a third country. Since these entail the fulfillment of some guarantees in the protection of the data of the interested one.
The Annex to Decision 2010/87 includes twelve model clauses to be used. A special feature of these clauses is that they are used when the processing is carried out by a recipient outside the Union. In other words, the relationship is between the person responsible in the European Union and the person responsible outside the Union. However, decisions prior to that date regulate transfers only between responsible parties. That is, from an EU controller to a foreign data controller. Thus, there are ten other standard clauses.
International data transfers require the use of certain mechanisms such as SCCs. If one of these mechanisms is not complied with, it will be necessary for the control authority to authorize the transfer. The only case in which they are not necessary is when there is an adequacy decision. This refers to when the Commission considers that a third country has an adequate level of protection. Therefore, as their level of protection is similar or equal to ours, no authorization of the transfer is required. However, sometimes, despite the existence of such adequacy, standard clauses are used.
Si te ha interesado este artículo no dudes en leer:
Directive (EU) 2019/1160: Cross-border distribution of Collective Investment Undertakings
Relevant aspects of these clauses
There are some key issues to consider when using these clauses.
- First of all, more protection is needed for especially sensitive data. For the transfer of these, the interested parties must be notified before the transfer.
- In addition, the language is slightly different from the GDPR. In these, the term “exporter” and “importer” is used. For the 2001 and 2004 decisions, both terms refer to data controllers. In the case of the 2010 decision, as modified by the 2016 decision, the importer is the processor.
- Although they are clauses adopted by the Commission, they will be governed by the legislation of each Member State.
- They protect the interested party with maximum guarantees. They try to certify that the relationship between contractors will be as equivalent as possible to the fulfillment of the RGPD. Therefore, clauses such as the third party beneficiary are included. This means that even the situation in which the exporter or importer ceases to exist or becomes insolvent is regulated.
Current situation after the Schrem I and II sentences
As SCCs are a means of enabling international transfers, they are used extensively by contractors. However, after a controversy between an Austrian citizen and Facebook as a U.S. parent company, two judgments emerged. The Schrem I and II judgments of the European Court of Justice. By which currently national control authorities may even forbid international transfers made through SCC. Provided that one of the following two circumstances apply:
- That the contracting parties do not respect the standard clauses, placing the interested party at risk.
- That the foreign regulation suppresses the guarantees of protection for the interested party offered by the standard clauses.
The latter has happened with data transfers to the USA. Because, although the contractors respected the SCC, the American standard did not. As SCCs are not binding on US authorities, this allowed access to the data by their security agencies. This is the total opposite to what is permitted by European law.
Conclusions
Standard contractual clauses are still valid and one of the most used means for international data transfers. However, exporters and importers must now consider whether the national legislation of destination removes the guarantees of SCCs. Respect for the contracting parties and for the regulations of the data protection guarantees will be then taken into account. So if there is a risk and damage to the data subject by these laws, the European control authorities may prohibit the transfers.
If this article has been of interest, we also suggest you to read the following article published on our website: Data Protection Dictionary (Jargon)