Standard contractual clauses for the transfer of personal data to third countries to be changed and additional safeguards to be adopted

Previous

14.07.2022 10:49

How to apply legal rules for the transfer of personal data to third countries? Read Professor Morávek's article here:

Standard contractual clauses for the transfer of personal data to third countries to be changed and additional safeguards to be adopted

It is quite likely that you have recently been approached by ISPs who have infrastructure outside the EU with the need to change some contractual clauses. If this has not yet happened and does not happen any time soon, we recommend that you yourself invite the provider to go ahead with such changes for the reasons set out below. Without appropriate modifications, there is a risk of sanctions to be imposed by the Office for Personal Data Protection. The reasons are as follows.

The data protection legislation sets apart (Art. 44 et seq. GDPR) countries that provide an adequate level of protection of personal data, one that is comparable to the European standard. Such countries are the EU and EEC Member States, as well as countries that the European Commission, by its adequacy decision, designates as safe (note: currently, countries that have ratified the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data are no longer considered safe by default). In other cases, if the data are to be transferred to a controller or processor outside a safe country within the above meaning, the adoption of appropriate safeguards is required (Article 46 GDPR). Only if the adoption of appropriate safeguards is not possible can the transfer of personal data proceed on the basis of one of the exceptions as set forth in Article 49 GDPR.

Simply speaking, both binding corporate rules (Article 47 GDPR), which are primarily designed for groups of undertakings, and standard contractual clauses contained in the Commission Decision serve to ensure an adequate level of protection when transferring personal data to third countries.

The standard contractual clauses are applicable to both controller-processor and controller-controller relationships.

Their operation is straightforward. They only need to be included in the contractual relationship of the parties concerned.

Historically, there were several Commission Decisions on standard contractual clauses issued. Following the GDPR, and this is relevant in terms of the above-mentioned interfaces in particular with providers of internet and other similar services, Commission Decision 2021/914 of 4 June 2021 on standard contractual clauses for transfers of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council replaced all the previous Decisions. This most recent Decision contains a universal set of modular standard contractual clauses applicable to all the aforementioned relationships.

Thus, as of 27 September 2021, previous standard contractual clauses can no longer be used and Decision 2021/914 must be followed in all circumstances.

In addition, it has been stipulated that, by 27 December 2022, all contracts entered into before 27 September 2021 which used the earlier Commission Decision on standard contractual clauses as a means to protect data must be replaced by standard contractual clauses in accordance with Commission Decision No 2021/914.

In this context, it is worth recalling that, following the decision of the CJEU in Schrems II (C-311/18), standard contractual clauses can no longer be considered as a default means of ensuring an adequate level of protection for the transfer of personal data without further consideration. It is always necessary to assess in advance whether contractual clauses provide a sufficient level of protection in the recipient’s country, taking into account the legislation, the level of the rule of law and the application of its principles, as well as other relevant circumstances. These aspects should be assessed in cooperation with a competent person (or government authority) in the third country. In case of a positive outcome, the standard contractual clauses can be used without additional safeguards. Otherwise, additional safeguards (technical, contractual, organizational) should be taken to strengthen the protection of the transferred data. As regards additional safeguards, reference can be made to the European Data Protection Board Recommendations 1/2020 of 10 November 2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

We are aware that the issue of personal data protection is relatively complicated and the legal rules on the transfer of personal data to third countries particularly so. Therefore, if you have any questions, please do not hesitate to contact us. We are ready to provide you with prompt assistance and support.

This item of news was drafted by JUDr. Jakub Morávek, Ph. D., attorney-at-law and partner of Felix a spol. advokátní kancelář s.r.o.