To be able to share personal data with a recipient outside of the European Economic Area (“EEA”), whether it is, e.g., to the parent company or to the hosting provider, it is necessary to take action to ensure the legality of such transfer. The most common way is for the parties to conclude a specific contract where they undertake to implement sufficient measures to protect the transferred personal data. Such contracts are based on so-called standard contractual clauses issued by the European Commission.
The current standard contractual clauses have been in force since 2001. At the beginning of June, the Commission issued revised clauses that will take effect in Iceland on June 27th. In relation to these new clauses, there is a reason to pause and examine the substantial differences between the current clauses and the new ones, and realize what measures companies and institutions need to implement and before what time.
Entry into force
As stated above, the new clauses will enter into force on June 27th, 2021. However, the European Commission’s decision presumes two transitional periods. The previous period is three months, or until September 27th, 2021, and during that period it will still be possible to use and implement the old contractual clauses in new contracts. After the duration of the previous period, the second transition period commences, which will be for 15 months, or until December 27th, 2022. During that period, those who have implemented the old clauses may continue to use them, but the implementation of the new clauses must be completed by December 27th, 2022. Within the next 18 months, or before December 27th, 2022, the new clauses thus must be implemented in all contracts which are based on current standard contractual clauses.
Changes from the current clauses
The new contractual clauses contain various new provisions and obligations intended to meet the increased requirements introduced by the European Data Protection Regulation (“GDPR”) which entered into force in 2018 and standards adopted by the European Court of Justice in the recent so-called Schrems II case. The following new provisions are of the most importance:
- Technical and organizational measures. The new clauses stipulate that the parties must decide what technical and organizational measures the recipient needs to take to ensure the security of personal data.
- Assessment of the legislation of the state in which the recipient is established. With the new clauses, the parties declare that they have no reason to believe that the legislation of the state where the recipient of the data [A1] is established will prevent the recipient from being able to fulfill its obligations according to the contract. The clauses also assume that the parties have made a special assessment of the country/state’s legislation, including the legal obligation to provide public bodies with access to personal data, as well as an assessment of the transfer as such. This assessment must be documented and access to it may be requested by the relevant data protection authorities.
- More extensive rights for data subjects. In the new clauses, the data subject´s rights, i.e., natural persons whose personal data is being processed, are increased. The current clauses do not give the data subjects any direct rights towards the recipient of data, but according to the new clauses, the data subjects acquire direct rights towards the recipient.
- Liability. Under the new clauses, both the recipient and the exporter are liable for damages the data subjects suffer for a breach of the clauses.
- Provisions on the entry of new parties. To reflect complex processing chains, the new clauses include a new provision, the so-called “docking clause”, which facilitates the formation of multilateral contractual relations by allowing new parties (including sub-processors) to join the contract afterwards.
- Obligations of the recipient if the authorities request access. The new clauses require the data recipients to notify the exporter immediately if public authorities request access to the transferred data based on the terms. The recipient is also obliged to do everything in his power to lift the restrictions on authorizations to provide such information. The new contractual clauses also stipulate that the transfer of personal data can take place in different contractual relationships. The current clauses only provide for a transfer between two controllers or a transfer from a controller to a processor. The new contractual clauses also stipulate that transfer can take place between two processors, or processor and sub-processor, and from a processor to a controller.
Need for action
Although there is just over a year and a half until all transfer must rely solely on the new contractual clauses, it is important for companies and institutions to get started. Based on the above it is recommended to take the following actions:
- Map all transfer of personal data that takes place outside the EEA.
- Map which contracts contain and are based on the current contractual clauses.
- Evaluate the legislation of the states where the recipient of the personal data is established.
- Decide whether additional technical and organizational measures must be implemented.
- Replace the current contractual clauses with the new clauses within the next 18 months.
- Start using the new contract clauses in relation to new contracts.