Standard Contractual Clauses

On December 1, 2021, in a much-noted decision, the Administrative Court of Wiesbaden (AC Wiesbaden) handed down a preliminary injunction dealing with international data transfers (case 6 L 738/21.WI, available in German here). In the specific case, there was no data transfer mechanism in place and thus the court ordered the defendant to stop using a cookie consent management platform. Contrary to some reports, the court did not rule that U.S.-based consent management solutions or cookies cannot be used anymore. The injunction can still be appealed and could also be lifted in the main proceedings.
Continue Reading German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization

Today the European Commission issued the new and long-awaited Standard Contractual Clauses, available here (SCCs). These new SCCs contain updates for the GDPR, and replace the three sets of SCCs that were adopted under the previous Data Protection Directive. The SCCs released today include the following modules:

  • Controller to controller transfers,
  • Controller to processor transfers,
  • Processor to processor transfers, and
  • Processor to controller transfers.

The draft SCCs had been open to consultation in December of 2020 (more on our previous blog here). The final drafts issued today will come into effect 20 days after publication on the Official Journal of the European Union, which should be sometime between the 25th and 30th of June 2021.
Continue Reading European Commission issues New Standard Clauses for data transfers outside the EEA: Act within 18 months

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) announced their joint opinions on the draft standard contractual clauses (SCCs) previously published by the European Commission in November 2020. The opinions cover the SCCs between controllers and processors and the SCCs for the transfer of personal data to third countries.  We have previously commented on both sets of drafts here and here.

Controller to processor SCCs

In their joint opinion, both the EDPB and the EDPS, welcomed the controller to processor SCCs as a single, strong, and EU-wide accountability tool, which will facilitate compliance with the General Data Protection Regulation (GDPR) and provide much needed legal certainty to controllers and processors. However, the EDPB and EDPS noted that more clarity should be provided as to when the controller to processor SCCs can be relied upon. Further amendments were also noted as needed, for example the docking clause, which allows additional entities to accede to the controller to processor SCCs. It was also noted that the SCCs Annexes should be amended to clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity. The EDPB and EDPS consider these additional amendments as necessary to ensure harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
Continue Reading The EDPB and EDPS adopt joint opinions on the new draft SCCs

On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here).

The current SCCs were adopted by the Commission before the GDPR came into force.  The CJEU’s decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will repeal the current SCCs. Data controllers and processors alike will therefore need to re-paper their agreements.

The main changes introduced by the draft SCCs are summarised below.Continue Reading European Commission releases draft updated standard contractual clauses

On 12 November 2020, the European Commission released its first draft set of clauses covering the Article 28 GDPR requirements, for consultation (available here).

Article 28 of the GDPR governs the relationship between controllers and processors. In particular, Articles 28(3) and (4) outline the details that must be included in a data processing agreement between a controller and a processor (e.g. purpose and duration of processing, details of the measures used to ensure security of data) as well as the obligations that apply to the processor (e.g. processing only on the documented instructions of the controller, implementation of security measures, assistance).

The clauses offer a useful insight into the Commission’s expectations on data processing agreements, which should assist organisations with any review (and, if required, development) of their data processing agreement templates.Continue Reading European Commission publishes draft Article 28 clauses for consultation

The Summer 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. ECJ and GDPR: Another decision hitting social media activities by companies
  2. EDPB does not opt for changes to EU standard contractual clauses
  3. EU

Following the CJEU’s judgment of October 2015 invalidating the European Commission’s Safe Harbor Decision, the Data Protection Authority Hamburg (“DPA Hamburg“) started investigations against 35 internationally operating companies in Hamburg. According to a press release of DPA Hamburg of 6 June 2016, these investigations revealed that the majority of the companies under investigation

On 3 February, the Article 29 Working Party (‘WP29’), a group comprising representatives of the EU Member States’ Data Protection Authorities (‘DPAs’), issued a statement cautiously welcoming the agreement on an “EU-U.S. Privacy Shield”. If it is formally adopted, the Privacy Shield will replace the Safe Harbor agreement that was declared

Spain’s Data Protection Authority, the Agencia Española de Proteccion de Datós (‘AEPD’), has issued a deadline of 29 January 2016, for the implementation of alternative mechanisms to Safe Harbor.

By letter dated 3 November 2015, the AEPD imposed the deadline on all companies operating in Spain that had previously notified it of personal data transfers to the United States which were based on the recipient’s Safe Harbor certification.  The letter requires companies in Spain to inform the AEPD of the mechanism(s) they have implemented to ensure the “adequate protection” of personal data which is transferred to the United States.
Continue Reading Spain issues deadline for implementing alternative Safe-Harbor mechanisms