The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

FAQ for standard contractual clauses

On May 25, 2022, the European Commission published a set of questions and answers on the two sets of standard contractual clauses: (1) one for the use between controllers and processors (Art. 28 GDPR) and (2) one for the transfer of personal data to countries outside of the EEA (Art. 46(2)(c) GDPR), both adopted by the European Commission on June 4, 2021.

Summary

Standard contractual clauses (SCCs) are standardised instruments that produce legal effects, adopted by the Commission under a power expressly granted to it by the EU law (GDPR). For this reason, SCCs cannot be amended in a way that conflicts with the original document.

The SCCs for data flows (Art. 46(2)(c) GDPR) should be read in combination with the provisions of Chapter V on transfers of personal data to third countries, as they apply only in such circumstances and, specifically, only when the GDPR does not apply to the data controller/processor (data importer). In other cases, as well as for data transfers to international organisations (data importers), additional SCCs, soon to be adopted by the EU Commission, will be applicable.

Figure – The SCCs adopted with Decisions 2021/914 and 2021/915 by the EU Commission.

Standard contractual clauses

The standard contractual clauses, better known by the use of the English acronym “SCCs”, are standard contract models adopted by the European Commission to be used in relations between controllers and processors in order to comply with the requirements of the GDPR. The General Regulation empowers the Commission to adopt SSCs in two specific circumstances:
  1. To incorporate in a contract the relations on personal data protection between data controllers and their respective data processors, to meet the requirements of Article 28(3) and (4) and in accordance with the power granted to the Commission by paragraph 7 of the same Article;
  2. As a safeguard measure to legitimize cross-border data flows to countries without a personal data protection regime substantially equivalent to that of the Union, in fulfillment of the requirements of Article 46(2)(c) of the GDPR.
Article 97 of the GDPR states that the same shall be the subject of an evaluation every four years, regarding its practical application by the Commission; the first evaluation was in 2020 and in the next round, scheduled for 2024, the evaluation will also include the application of these SCCs.

Concept of personal data transfers to third countries

The EDPB 05/2021 guidelines have indicated some identifying criteria for personal data transfers to third countries; in this regard, the following examples from the same guidelines can be made:

Figure- Examples of transfers and related applicability of Chapter V of the GDPR.
  1. a controller or processor who is established in the EU (A), processes personal data outside the EU and transfers the data to its own processor (B) located in a third country: Chapter V of the GDPR applies to the transfer of data between (A) and (B)
  2. a company established in a third country (A), which is the data controller and to which the GDPR applies under Article 3.2, transfers data to two companies (B) and (C) that carry out processing operations on its behalf, as data processors; (B) is established in the same third country as (A) and (C) is established in another third country: for transfers between (A) and (B) and between (A) and (C), Chapter V of the GDPR applies
  3. a controller established in a third country (A), carries out a processing operation to which the GDPR applies under Article 3.2 and makes its data available, through access to its servers, to its processor (B) located in the EU: the data flow between (A) and (B) and between (B) and (A) is subject to Chapter V of the GDPR
  4. a controller established in a third country (A) performs a processing of personal data that is NOT subject to the GDPR, forwards such data to a company acting as its processor (B) located in the EU: the data return flow from (B) to (A) is regulated by Chapter V of the GDPR
  5. the employee entitled to processing (A) of a data controller subject to the GDPR (B), while on a trip to a third country, connects to the company’s systems through his PC and performs operations regarding that processing: Chapter V of the GDPR does not apply to the flow of data between (A) and (B) because the same does not occur between data controllers and data processors.

Parties of the SCCs

The SCCs regulating processing between the controller and its processor have as contractual parties controllers and processors established in the EEA space, therefore, both subject to the GDPR.

Differently, the 2021 SCCs on cross-border data flows provide as contractual parties controllers and processors (data exporters) who are subject to the GDPR and controllers and processors (data importers) to whom the GDPR does not apply.

More specifically, the hypothetical data transfer cases may be as follows:

  1. From controller (data exporter) subject to the GDPR to controller (data importer) not subject to the GDPR (Form 1)
  2. From controller (data exporter) subject to the GDPR to processor (data importer) to whom the GDPR does not apply (Form 2)
  3. From processor (data exporter) subject to the GDPR to sub-processor (data importer) not subject to the GDPR (Form 3)
  4. From processor (data exporter) to its controller (data importer) to whom the GDPR does not apply (Form 4).
Figure – Scope of application of SCCs covered by Commission Decision 2021/914.