IAPP Exam CIPP-E Topic 3 Question 104 Discussion

The General Data Protection Regulation (GDPR) introduces a mechanism for personal data transfers to third countries or international organisations that do not ensure an adequate level of data protection, based on approved certifications. According to Article 46 of the GDPR, contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses -- so-called standard contractual clauses (SCCs) -- that have been ''pre-approved'' by the European Commission.

On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. The Commission developed Questions and Answers (Q&As) to provide practical guidance on the use of the SCCs and assist stakeholders in their compliance efforts under the GDPR.

The Q&As state that businesses must do all of the following:

Consider the new optional docking clause, which expressly permits adding new parties to the SCCs. According to the Q&As, the docking clause allows controllers and processors that are not part of the original contract to accede to the SCCs at a later stage, either as data exporters or importers. This clause is intended to facilitate the use of the SCCs in complex processing chains and to avoid the need to enter into multiple contracts.

Migrate all contracts entered into before September 27, 2021, that use the old SCCs to the new SCCs by December 27, 2022. According to the Q&As, the old SCCs will be repealed on September 27, 2021. However, contracts concluded before that date on the basis of the old SCCs will remain valid until December 27, 2022, provided that the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards within the meaning of Article 46(1) of the GDPR. After December 27, 2022, the old SCCs will no longer provide a valid legal basis for data transfers to third countries, and the new SCCs will have to be used instead.

Take steps to flow down the new SCCs to relevant parts of their supply chain using the new SCCs as of September 27, 2021, if the business is a data importer. According to the Q&As, the new SCCs require data importers to enter into contracts with any subprocessors that process the personal data transferred under the SCCs, and to include in those contracts the same data protection obligations as those imposed on the data importer under the SCCs. This means that data importers must ensure that the new SCCs are flowed down to their subprocessors as of September 27, 2021, and that any changes in the subprocessors are notified to the data exporter, who has the right to object.

The Q&As do not state that businesses must do the following:

Implement the new SCCs in the U.K. following Brexit, as the U.K. Information Commissioner's Office does not have the authority to publish its own set of SCCs. This is not a valid statement, as the U.K. has its own data protection regime after leaving the EU, and the U.K. Information Commissioner's Office (ICO) has the power to issue its own SCCs for data transfers from the U.K. to third countries. According to the ICO website, the ICO is currently developing bespoke U.K. SCCs, which will be subject to a public consultation and an opinion from the European Data Protection Board (EDPB). Until the U.K. SCCs are finalised, the ICO advises businesses to continue to use the EU SCCs for new contracts, as these clauses have been recognised as a valid transfer mechanism under the U.K. data protection law. However, the ICO also warns businesses that they may need to amend the EU SCCs to reflect that the U.K. is no longer an EU member state, and that they will need to update their contracts to the U.K. SCCs once they are available.

GDPR, Articles 3, 4, 28, 29, 32, 44, 45, 46, 47, 48 and 49.

New Standard Contractual Clauses - Questions and Answers overview, paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 and 11.

Standard Contractual Clauses (SCC), paragraphs 1, 2, 3, 4, 5, 6, 7 and 8.

[Using international data transfers], paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9 and 10.