The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) announced their joint opinions on the draft standard contractual clauses (SCCs) previously published by the European Commission in November 2020. The opinions cover the SCCs between controllers and processors and the SCCs for the transfer of personal data to third countries. We have previously commented on both sets of drafts here and here.
Controller to processor SCCs
In their joint opinion, both the EDPB and the EDPS, welcomed the controller to processor SCCs as a single, strong, and EU-wide accountability tool, which will facilitate compliance with the General Data Protection Regulation (GDPR) and provide much needed legal certainty to controllers and processors. However, the EDPB and EDPS noted that more clarity should be provided as to when the controller to processor SCCs can be relied upon. Further amendments were also noted as needed, for example the docking clause, which allows additional entities to accede to the controller to processor SCCs. It was also noted that the SCCs Annexes should be amended to clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity. The EDPB and EDPS consider these additional amendments as necessary to ensure harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
Transfer of personal data to third countries SCCs
Both the EDPB and EDPS stated these updated, one-stop shop SCCs for the transfer of personal data to third countries were welcomed as they provide reinforced protection for data subjects. The EDPB and EDPS noted the draft SCCs address some key issues identified in the Schrems II judgement and include more specific safeguards in the event the laws of the importing country impact compliance with the clauses of the SCCs, in particular in case of binding requests from public authorities for disclosure of personal data. The draft SCCs also aim to better reflect the present realities of data transfers, which often involve multiple data importers and exporters. At the same time, both bodies acknowledged that several provisions could be improved and clarified, such as the scope of SCCs, certain third party beneficiary rights, certain obligations regarding onward transfers, aspects of the assessment of third country laws regarding access to public data by public authorities and the notification to supervisory authorities. Similar to their comments regarding the Annexes to the controller to processor SCCs, the EDPB and EDPS noted it is of “utmost importance” that the Annexes to the draft SCCs regarding the transfer of personal data to third countries are updated to provide “absolute clarity” regarding the roles and responsibilities of each party in each relationship, and with regard to each processing activity.
The EDPB and EDPS suggested that the European Commission consider EDPB recommendations on supplementary measures should the final version of the recommendations be adopted before the Commission’s SCC decision.