The EDPB and EDPS have adopted joint opinions on two sets of contractual clauses (SCCs). One opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries.
The Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
Andrea Jelinek, Chair of the EDPB, said: “The EDPB and EDPS welcome the controller-processor SCCs as a single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR. Among others, the EDPB and the EDPS request that sufficient clarity has to be provided to the parties as to the situations where they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.”
Several amendments were requested in order to bring more clarity to the text and to ensure its practical usefulness in day-to-day operations of the controllers and processors. These include the interplay between the two documents, the so-called “docking clause” which allows additional entities to accede to the SCCs, and other aspects relating to obligations for processors. Additionally, the EDPB and EDPS suggest that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity – any ambiguity would make it more difficult for controllers or processors to fulfil their obligations under the accountability principle.
Wojciech Wiewiórowski, EDPS, said: “We are convinced these SCCs can facilitate the compliance of controllers and processors with their obligations, both under the GDPR and under the legal framework of EU institutions and bodies (EUIs). Moreover, we hope these SCCs will ensure further harmonisation and legal certainty for individuals and their personal data. It is in this context that we aim to make these documents as future-proof as possible.”
The draft SCCs for the transfer of personal data to third countries pursuant to Art. 46 (2) (c) GDPR will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as taking into account the CJEU ‘Schrems II’ Judgment, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination impact compliance with the clauses, in particular in case of binding requests from public authorities for disclosure of personal data.
Wojciech Wiewiórowski, EDPS, said: “Given our practical experience, we have made these comments to improve these SCCs with a view to fully ensure that personal data of EU citizens is afforded an essentially equivalent level of protection when transfers to third countries take place. We believe these suggestions and amendments are crucial in order to achieve these aims in practice.”
In general, the EDPB and the EDPS are of the opinion that the draft SCCs present a reinforced level of protection for data subjects. In particular, the EDPB and the EDPS welcome the specific provisions intended to address some of the main issues identified in the Schrems II judgment. Nevertheless, the EDPB and EDPS are of the view that several provisions could be improved or clarified, such as the scope of the SCCs; certain third party beneficiary rights; certain obligations regarding onward transfers; aspects of the assessment of third country laws regarding access to public data by public authorities; and the notification to the SA.
EDPB Chair Andrea Jelinek added: “The conditions under which SCCs can be used must be clear for organisations and data subjects should be provided with effective rights and remedies. In addition, the SCCs should include a clear distribution of roles and of the liability regime between the parties. As regards the need, in certain cases, for ad-hoc supplementary measures in order to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU, the new SCCs will have to be used along with the EDPB Recommendations on supplementary measures.”
The EDPB and the EDPS invite the Commission to refer to the final version of the EDPB Recommendations on supplementary measures, should the final version of the recommendations be adopted before the Commission’s SCC decision. This document was submitted for public consultation until 21 December 2020 and is still subject to possible further modifications on the basis of the results of the public consultation.
The agenda of the EDPB’s 44th plenary session is available here