Blog
Blog » EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
15 September 2021
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?
1. Standard contractual clauses in general
The new standard contractual clauses ("SCC") adopted by the European Commission serve the purpose of making it easier for data controllers or processors subject to the GDPR to comply with the GDPR.
The SCCs are "model contracts" for the processing of data with a predefined content, and if applied, the data processing in question is deemed to be in compliance with the GDPR.
The Commission has issued SCCs in the past, however, they were adopted under the pre-GDPR regulation and have become obsolete due to the entry into force of the GDPR and the consequences of the Schrems II judgment.[1]
2. Data Processing SSC[2]
According to the article 28 of the GDPR, the data processing carried out by the data processor[3] shall be governed by a contract with the content specified in detail in the GDPR, which shall contain, in addition to the characteristics of the data processing (subject, duration, nature and purpose of the processing, etc.), several other obligations applicable to the data processor, including, among others:
- the data processor shall only process personal data on the basis of written instructions from the data controller;
- the data processor shall ensure that persons authorised to process the data are under an obligation of confidentiality;
- the processor shall ensure the security of the data processing, etc.
However, the GDPR allows[4] the Commission to develop "model" SCC that fulfil the above requirements set out in the GDPR.
The new Data Processing SSC is such a "model" contract, which therefore means simplification for data controllers and processors, as they do not have to draft their own data processing contract, but they can use the Data Processing SSC developed by the Commission.
3.Standard contractual clauses for data transfers to third countries[5] ("Data Transfer SCC")[6]
Based on the GDPR, as a general rule, personal data may only be transferred to a third country if the Commission has determined that the third country provides an adequate level of protection.
However, the SCCs adopted by the Commission also constitute an exception to the above strict regulation in this case, as under the GDPR[7], if they are applied, the controller or processor is deemed to provide adequate safeguards and may transfer personal data to a third country even in the absence of a specific authorisation from the Commission.
The new Data Transfer SCC is therefore also a "model" contract that can be used by the parties for transfers to third countries.
4. What are the main differences between the new and old SCCs?
The new SCCs require stricter rules from the parties, with the main new elements including:
- additional obligations for data importers, data processors, in line with the GDPR rules, including notification obligations, data retention restrictions and data security obligations;
- more flexible rules on multi-party data processing; taking into account that the new SCCs allow third parties to join the SCCs under their "docking clauses";
- more flexible options regarding the choice of law and place of dispute resolution governing the SCCs.
It should be highlighted that the Data Transfer SCC regulates the provisions on data transfers between controllers and processors in a new structure, in a modular system. In the new modular system, controllers and processors may use the following four types of contracts, defined by the contractual position of the parties:
- Transfers between controllers
- Transfers from controller to processor
- Transfers between processors
- Transfers from processor to controller
A significant novelty is that the Commission has also adopted a set of SCCs (modules) for data transfers between processors and from processor to controller, which were not previously covered, and which will significantly simplify such data transfers.
Can the SCCs be amended or supplemented?
In general, the contracting parties may not modify the SCCs, except for the addition of information on the parties and the characteristics of data processing.
However, the parties may incorporate the SCCs into a broader contract, add other clauses or additional safeguards to the SCCs, provided that they do not directly or indirectly contradict these SCCs and do not adversely affect the fundamental rights or freedoms of data subjects.
5. When do the new SCCs apply?
Both new SCCs is applicable from 27th June 2021 and it is important to note that, according to the decision adopting the Data Transfer SCC, the previous SCCs on this subject will no longer be applicable from 27th September 2021.
However, the Commission Decision also provides a grace period for data controllers and processors in relation to data transfers to third countries,[8] namely that the previous SCCs may be applied until 27 December 2022 at the latest for previously concluded contracts, subject to certain conditions. [9]
From 27 December 2022, only the new SCCs shall be applied.
6. What should you do in view of the publication of the Data Processing SCCs and Data Transfer SCCs?
Data Processing SCC:
As of 27 June 2021, you can use the new Data Processing SCC to your data processing contracts, and both your business and the other party shall comply with the new, stricter terms.
Data Transfer SCC:
You may maintain contracts already entered into under the previous SCC, with additional appropriate guarantees, until 27 December 2022, provided that the terms and conditions therein remain unchanged, but you have to develop an amendment to these contracts under the new Data Transfer SCC during this transitional period.
In any case, from 27 September 2022, you will have to apply the new SCC to your contracts for data transfers to third countries.
[1] Decision No.C‑311/18. Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems
[2] Commission Implementing Decision (EU) 2021/915 Of 4 June 2021 on Standard Contractual Clauses Between Controllers And Processors Under Article 28(7) Of Regulation (EU) 2016/679 Of The European Parliament And Of The Council And Article 29(7) Of Regulation (EU) 2018/1725 Of The European Parliament And Of The Council
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0915&from=EN
[3] a person who processes personal data on behalf of the controller, e.g.: a company's payroll administrator
[4] Section 28(7) of GDPR
[5] non-EEA countries, such as the United States of America
[6] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to regulation (EU) 2016/679 of the European Parliament and of the Council
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=HU
[7] Section 46(2)(c) of the GDPR
[8] Section 4 of Data Transfer SCC
[9] The processing operations that are the subject of the contract remain unchanged and the reference to those conditions ensures that the transfer of personal data is subject to appropriate safeguards.
-
HOW TO SET UP A COMPANY IN HUNGARY FROM ABROAD?
Hungary is a popular target for investing in the Central Eastern European region thanks to the 9% tax on capital gains for SMEs and 15% personal income tax for individuals, which tax rates are among the lowest for both businesses and private individuals across Europe. However, there are extra requirements for foreigners that are important to pay attention to. In order to avoid unpleasant surprises, we would like to draw your attention to the following when you are setting up your company in Hungary as a foreigner.
Read more » -
HUNGARY: WHY HIRE A LAW FIRM TO COLLECT DEBT INSTEAD OF A COLLECTION AGENCY?
In the recent years of crisis, it's becoming more and more common that your business partners fail to pay your invoices. After getting bored of their excuses or silences, there comes a time when you have to put pressure on your debtor. At that point, you either hire a law firm or turn to one of the many debt collection agencies offering “simple and cheap, yet efficient” solutions. But are the latter solutions really that effective? Is it worth entrusting a debt collection agency in Hungary? In our article, we bring up three reasons why you should hire rather a law firm in Hungary instead of a collection agency.
Read more » -
TRADE SECRET THEFTS IN HUNGARY – WHICH COURT PROTECTS EMPLOYERS’ RIGHTS?
Trade secrets are protected on more levels in Hungary. While the Business Secret Act provides general protection, the Labour Code protects the business secrets of employers in the employment context. Yet this abundance can cause problems when it comes to the question which court is competent to protect employer’s rights in case of theft of trade secrets by an ex-employee. Can an employer file a damage claim against an ex-employee and a competing company as co-defendants in front of the commercial court? Or is it the labour court which is competent to hear the case? A fresh decision of the Hungarian Supreme Court, analysed in this short article, deals with these questions.
Read more »