On January 15, 2020, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”), both of which were published by the European Commission in November 2020 on international transfers (“International SCCs”) and for controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”).
ÖUpon completion of the work, the international SCCs will replace the existing SCCs created under the Data Protection Directive for the transfer of personal data from the EEA to organizations in non-EEA countries for which no adequate level of data protection has been recognized. In these cases, the EU General Data Protection Regulation (GDPR) prescribes the implementation of a transmission mechanism. After the invalidation of the data protection shield before the Court of Justice of the European Union (the “ECJ”) Schrems II judgmentThe majority of organizations have to rely on the international SCCs to legitimize their transfers.
In one Press release Edited by EDPB and EDSP, EDPB Chair Andrea Jelinek stated that the SCCs for EEA Controller Processors would be welcomed as a strong EU-wide accountability tool to facilitate GDPR compliance and provide legal certainty for controllers and processors. However, the Chair asked for sufficient clarity as to the situations in which these SCCs could be used. Several changes were also requested to provide clarity and ensure that the drafts work in practice, including with regard to the “docking clause” which allows new parties to join the SCC. The panels also asked for clarifications regarding the annexes to the SCC and the roles and responsibilities that should be assigned to controllers and processors therein. The EDPS, Wojciech Wiewiórowski, stated that the aim should be to make the documents as future-proof as possible.
With regard to the international SCCs, the Panels said that they welcomed the specific provisions to address the problems identified in Schrems II, but some provisions could be improved or clarified, for example the scope of the SCCs. certain third party rights; certain obligations related to redirects; Aspects of the evaluation of the laws of third countries with regard to data access by authorities; and notifying the regulatory authorities. The EDPB also stressed the need for controllers to take this into account Recommendations for additional measures and urged the European Commission to refer to the final version of these recommendations if they are adopted prior to the European Commission’s SCC decision.