In chapter V in the GDPR you will find a special regulatory framework which regulates transfer of data to third countries. A third country is a country outside of EU/EEA. To transfer personal data to a third country you will need a legal ground for it in conformity with GDPR. One of the possible legal grounds is to use standard contractual clauses (SCC). Thus, there is always a risk that the standard contractual clauses are not equivalent of the protection for processing of data in GDPR.
Standard contractual clauses
There are three sets of standard contractual clauses, all based on the Data Protection Directive (95/46/EG), the directive which was the predecessor of GDPR. The standard contractual clauses came into force in 2001, 2004 and 2010. Two out of three regulates the situation when both sender and recipient are data controllers. The standard contractual clauses from 2010 are appropriate for the situation when the sender is the data controller and the receiver is the data processor.
Read more about the relationship between data controllers and data processors in Swedish here.
Read more about the relationship between two data controllers in Swedish here.
When transferring personal data from the EU to the US, previously a special regulatory framework was used; called the Safe Harbor system. In 2015 this system was annulled by the European Court of Justice (CJEU). The Safe Harbor principles were supposed to guarantee the data subjects of the union a sufficient protection for their personal data, when their data was transferred to the US.
The annulment was based on the Commissions failure to observe through what measures the US took in its legislation or international obligations to attain an adequate level of protection. The generally formulated Safe Harbor principles also included that national legislation prevailed over the principles if the national legislation demanded so. In case of the national legislation had demanded a disregard of the Safe Harbor principles, it was showed that the disregard was not strictly necessary. Today, another certification system is used when transferring to the US, called Privacy Shield. This certification system is not used to other third countries, only the US.
What does this have to do with standard contractual clauses?
Which companies can choose to apply standard contractual clauses when a transfer of personal data from the EU to other third countries than the US is made? Well, the standard contractual clauses demonstrate similar flaws and structures as the annulled Safe Harbor system showed.
The structure of the clauses enables a third country’s national legislation to prevail over the principles of the standard contractual clauses in a way that can jeopardize the protection of personal data according to GDPR. When GDPR came into force, also provisions which should be taken into account when applying the standard contractual clauses came into force – that is to say something that the standard contractual clauses today does not satisfy.
With GDPR comes for example stricter demands regarding internal arrangements which should be in place when a transfer of personal data is made between two data controllers. Regarding a transfer of personal data between a data controller and a data processor shall the provisions in article 28 of GDPR be complied with. The article is though not completely reflected in the standard contractual clauses from 2010. Therefore, it can be a good idea to, besides the contract with the standard clauses, complement these demands.
Standard contractual clauses and GDPR
Standard contractual clauses presented by the Commission are similar structurally to the Safe Harbor system, since they through certain clauses according to the wording are given space to set aside the standard contractual clauses for the national legislation; see for example recital 11 in the decision of the Commission 2010/87/EU (the standard contractual clauses from 2010) and article 1(2) in the decision of the Commission 2004/915/EG (the standard contractual clauses from 2004). The protection of personal data which is supposed to be applied within the EU could consequently be undermined through a usage of the standard contractual clauses. Therefore, it could be needed to complement the standard contractual clauses with further contractual terms that ensures a compliance with GDPR.
Examples of demands in article 28 GDPR which is not included in the standard contractual clauses from 2010 (from data controller to data processor):
- Confidentiality regulation,
- Time period for processing of personal data,
- Data processors obligation to contribute when a personal data breach occurs.
It is mainly the CJEU that decides if the citizens of the Unions personal data is sufficiently being protected, when transferred to a third country, based on these instruments.
Recently, 9 July 2019, was an oral hearing held in case C-311/18 Facebook Ireland v. Schrems concerning the application of standard contractual clauses. The decision will come soon, and we’ll update here when it has been submitted.
If you have any further questions regarding transfer of personal data to a third country you are more than welcome to contact us at GDPR Hero via email firstname.lastname@example.org or phone 046 – 273 17 17.
Do not hesitate to book a demonstration of GDPR Hero – it will be time well spend!