Insights European Data Protection Board and European Data Protection Supervisor adopt joint opinions on EU Commission’s draft sets of new standard contractual clauses (SCCs)

The EDPB and EDPS have adopted joint opinions on the Commission’s SCCs on: (i) contracts between controllers and processors; and (ii) contracts for the transfer of personal data to third countries.

The EDPB explains that the Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors. Both the EDPB and the EDPS have welcomed the Controller-Processor SCCs as a “single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR”. However, several amendments have been requested to bring more clarity to the text and to ensure its practical usefulness in the day-to-day operations of controllers and processors. These include the interplay between the two documents, the so-called “docking clause” which allows additional entities to accede to the SCCs, and other aspects relating to obligations for processors. Additionally, the EDPB and EDPS suggest that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity: any ambiguity would make it more difficult for controllers or processors to fulfil their obligations under the accountability principle, they say.

As for the draft SCCs for the transfer of personal data to third countries, the EDPB explains that these will replace the existing SCCs for international transfers that were adopted on the basis of the Data Protection Directive (95/46/EC). They were in need of updating to bring them in line with GDPR requirements, to take into account the CJEU “Schrems II” judgment, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination impact compliance with the clauses, in particular in the event of public authorities making binding requests for disclosure of personal data.

In general, the EDPB and the EDPS are of the opinion that the draft SCCs present a reinforced level of protection for data subjects. In particular, the EDPB and the EDPS welcome the specific provisions intended to address some of the main issues identified in the Schrems II judgment. Nevertheless, the EDPB and EDPS are of the view that several provisions could be improved or clarified, such as: the scope of the SCCs; certain third party beneficiary rights; certain obligations regarding onward transfers; aspects of the assessment of third country laws regarding access to public data by public authorities; and notification to supervisory authorities. To read the EDPB’s press release in full and for access to the opinions, click here.