On May 25, 2022, the European Commission published a set of questions and answers on the two sets of standard contractual clauses: (1) one for the use between controllers and processors (Art. 28 GDPR) and (2) one for the transfer of personal data to countries outside of the EEA (Art. 46(2)(c) GDPR), both adopted by the European Commission on June 4, 2021.
The SCCs for data flows (Art. 46(2)(c) GDPR) should be read in combination with the provisions of Chapter V on transfers of personal data to third countries, as they apply only in such circumstances and, specifically, only when the GDPR does not apply to the data controller/processor (data importer). In other cases, as well as for data transfers to international organisations (data importers), additional SCCs, soon to be adopted by the EU Commission, will be applicable.
Standard contractual clauses
- To incorporate in a contract the relations on personal data protection between data controllers and their respective data processors, to meet the requirements of Article 28(3) and (4) and in accordance with the power granted to the Commission by paragraph 7 of the same Article;
- As a safeguard measure to legitimize cross-border data flows to countries without a personal data protection regime substantially equivalent to that of the Union, in fulfillment of the requirements of Article 46(2)(c) of the GDPR.
Concept of personal data transfers to third countries
The EDPB 05/2021 guidelines have indicated some identifying criteria for personal data transfers to third countries; in this regard, the following examples from the same guidelines can be made:
- a controller or processor who is established in the EU (A), processes personal data outside the EU and transfers the data to its own processor (B) located in a third country: Chapter V of the GDPR applies to the transfer of data between (A) and (B)
- a company established in a third country (A), which is the data controller and to which the GDPR applies under Article 3.2, transfers data to two companies (B) and (C) that carry out processing operations on its behalf, as data processors; (B) is established in the same third country as (A) and (C) is established in another third country: for transfers between (A) and (B) and between (A) and (C), Chapter V of the GDPR applies
- a controller established in a third country (A), carries out a processing operation to which the GDPR applies under Article 3.2 and makes its data available, through access to its servers, to its processor (B) located in the EU: the data flow between (A) and (B) and between (B) and (A) is subject to Chapter V of the GDPR
- a controller established in a third country (A) performs a processing of personal data that is NOT subject to the GDPR, forwards such data to a company acting as its processor (B) located in the EU: the data return flow from (B) to (A) is regulated by Chapter V of the GDPR
- the employee entitled to processing (A) of a data controller subject to the GDPR (B), while on a trip to a third country, connects to the company’s systems through his PC and performs operations regarding that processing: Chapter V of the GDPR does not apply to the flow of data between (A) and (B) because the same does not occur between data controllers and data processors.
Parties of the SCCs
The SCCs regulating processing between the controller and its processor have as contractual parties controllers and processors established in the EEA space, therefore, both subject to the GDPR.
Differently, the 2021 SCCs on cross-border data flows provide as contractual parties controllers and processors (data exporters) who are subject to the GDPR and controllers and processors (data importers) to whom the GDPR does not apply.
More specifically, the hypothetical data transfer cases may be as follows:
- From controller (data exporter) subject to the GDPR to controller (data importer) not subject to the GDPR (Form 1)
- From controller (data exporter) subject to the GDPR to processor (data importer) to whom the GDPR does not apply (Form 2)
- From processor (data exporter) subject to the GDPR to sub-processor (data importer) not subject to the GDPR (Form 3)
- From processor (data exporter) to its controller (data importer) to whom the GDPR does not apply (Form 4).