Let’s go back to examining the new standard clauses adopted by the EU Commission aimed at legitimizing the transfer of personal data to third countries (see Alert of 10/6/2021). The transfer of personal data to a third country (i.e. neither belonging to the EU nor to the EEA) that has not been the subject of a declaration of adequacy by the Commission, can be carried out legitimately if adequate guarantees are adopted (Article 46, GDPR) or , in limited and occasional cases, in the presence of specific derogations (Article 49, GDPR). The so-called SCCs represent one of the most widespread adequate guarantees. We examine its structure and methods of use.
Decision and SCC
As indicated in the figure above, Commission Implementing Decision (EU) 2021/914 which contains the new SCCs, is composed of 26 Recitals and the substantive part divided into four articles.
The actual SCCs, that is, the contractual text that must be used by exporters and importers who intend to make use of this form of guarantee, is contained in the annex to the decision. This annex, with some risk of confusion, is itself structured in:
- a main part consisting of 14 clauses and 4 modules which address the corresponding types of data transfers between:
- controller (exporter) and controller (importer)
- controller and processor
- processor and sub-processor
- processor and foreign controller not subject to GDPR.
- an appendix which in turn is divided into three annexes:
- Annex I which contains the list of parts, the description of the transfer and the indication of the competent authority
- Annex II which lists the technical and organizational measures taken to secure the transfer
- Annex III which contains the list of any sub-processors.
Unlike in the past in which separate SCCs were adopted for each type of transfer (controller / controller and controller / processor), the current version intends to cover and, therefore, be usable for all the four transfer types mentioned above.
To achieve this aim, a drafting technique was adopted characterized by a textual part valid in general, together with four distinct modules (as many as the four options referred to) to be used alternatively, according to the relevant type of transfer.
The structure is completed by the appendix containing 3 Annexes:
- the first two must be completed for any type of transfer considered,
- the third is to be completed only in the case of transfers between controller and processor or between processor and sub-processor and only when the option of the controller’s specific authorization is chosen to use certain sub-processors already identified.
Consequently, the SCCs cannot be used “as they are” but require an editorial intervention, albeit minimal, consistent in:
- identifying the module corresponding to the type of transfer in question,
- the use of the relevant text, by selecting some available choice options
- the elimination of the part of the text contained in the irrelevant modules referring to the other types of transfer
- compiling the annexes of the appendix.
For a correct compilation of the SCCs, these are the most relevant steps:
- MODULE – Choose the right SCCs module (for each type of transfer).
- DESCRIPTION – Document the transfers well in Annex I.B.
- AUTHORITY – Indicate the competent supervisory authority in Annex I.C.
- TIA – Make a transfer impact assessment in order to consciously comply with clause 14.
- MEASURES – Specifically document the measures taken in Annex II.
- MULTIPLE PARTIES – Determine whether to consent to further parties joining the SCCs at any time, by completing the appendix and signing Annex I.A (clause 7 (a)).
- SUB-PROCESSORS – If relevant, document the authorized sub-processors in Annex III and keep the annex updated.