In this blog, we are doing a deep dive into the EDPB recommendations for Schrems II and the new standard contractual clauses (SCC).
Watch the Discussion Now: Schrems II Fallout Reaction and Analysis of the new EDPB Guidelines
This is the first time in ten years that the commission has published a new set of SCCs for transferring personal data from the EA. It’s difficult to say when these new SCCs will be enforced and adopted. Unlike the current two sets of SCCs, which are based on whether the importer is a data processor or data controller, the new SCCs take a modular approach combined with general provision to cater for four different transfer scenarios and distinguish responsibilities under SCCs on this basis. The modules consist of:
Module 1: Controller-to-Controller
Module 2: Controller-to-Processor
Module 3: Processor-to-Sub-Processor
Module 4: Processor-to-Controller
Though not entirely clear, it seems as though the controllers and processors are to select the module which is best suited to their situation. The commission notes that the ability to do so makes it possible for parties to tailor their obligations under these SCCs to their specific roles and responsibilities.
These SCCs are complex. The reason being we are trying to document data for a number of different data transfer scenarios with different clauses applying to different modules. Companies are going to have to sit down with the draft SCCs and really work out they apply to them.
Read the Blog: Schrems II Decision: EDPB Publishes Recommendations
Section II of the new SCCs is all about the obligation of the parties and includes nine clauses. Clause 1 is very key in that it sets out the Data Protection Safeguards. These safeguards imbue the protections that travel with the personal data that leaves the EEA. Clause 1 starts with a warranty by the exporter that it has used reasonable efforts to determine the importer is able to satisfy the obligations of the SCCs. This connects back to the Data Transfer Impact Assessment that is a key part of the EDPB recommendations that we’ve discussed previously.
These Data Protection Safeguards include:
It is important to note that each modular approach applies differently to each of these safeguards.
Read the Blog: Schrems II Dealing with International Transfers
It’s a positive step forward to now have SCCs that cover all types of data transfers and have solutions provided for non-EEA exporters, which weren’t outlined before. The biggest question to consider now is: do companies wait for the new SCCs to be finalized before fully adopting them during this sunset period of the old SCC guidelines?