Standard contractual clauses constitute a set of safeguards that must be respected in connection with the transfer of personal data of data subjects to third countries, unless other safeguards available under the Regulation apply[1]. In this connection, the European Commission has adopted a set of binding standard contractual clauses for the transfer of personal data to third countries and, going above and beyond the Regulation, also a set of standard contractual clauses applicable to the processing of personal data between the controllers and processors, which, however, do not apply to the transfer of personal data to third countries. More on this subject is specified in our article below.

 

I. The European Commission has adopted new standard contractual clauses for the transfer of personal data to third countries[2] under Article 46(2)(c) of the Regulation which can be used for the transfer of personal data between:

 

  1. a controller established in the EU and a controller established in a third-country;
  2. a controller established in the EU and a processor established in a third-country;
  3. a processor established in the EU and a processor established in a third-country; and
  4. a processor established in the EU and a controller established in a third country (if the EU processor combines the personal data received from the third-country controller with personal data collected by the processor in the EU).

 

The standard contractual clauses for the transfer of personal data to third countries, adopted under the previous legal act[3], have been repealed with effect from 27 September 2021.

Contracts concluded before 27 September 2021 on the basis of the previous legal acts are deemed to provide appropriate safeguards within the meaning of Article 46(1) of the Regulation until 27 December 2022, .

In connection with the transfer of personal data to third countries on the basis of the standard contractual clauses, the standard contractual clauses adopted by the European Commission must be reflected in a contract with the recipient of personal data located in a third country.

 

II. The European Commission has also adopted its implementing decision on standard contractual clauses between controllers and processors[4] under Article 28(7) of the Regulation, which will enter into force on 27 June 2021. 

Article 28 of the Regulation lays down the minimum scope of the provisions that a contract for the processing of personal data between the controller and processor (‘Data Processing Agreement’) must contain. After entry into force of the Commission Implementing Decision, the controller and processor may also ensure compliance with Article 28(3) and (4) by incorporating the standard contractual clauses into their contract. These clauses, however, may not be used with respect to the transfer of personal data to third countries.

 

We hope you will find this information useful. Please, do not hesitate and contact us should you need more detailed information.

 

Viktória Poliaková, Zuzana Krajčovičová

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation”).

[2] Commission Implementing Decision 2021/914 was published in the Official Journal of the European Union on 7 June 2021 and is available here: https://eur-lex.europa.eu/legal-content/SK/TXT/?uri=uriserv%3AOJ.L_.2021.199.01.0031.01.SLK&toc=OJ%3AL%3A2021%3A199%3ATOC

[3] Decision 2001/497/EC (controller in the EU and controller in a third country) and Decision 2010/87/EU (controller in the EU and processor in a third country) adopted under Directive 95/46

[4] Commission Implementing Decision 2021/915 was published in the Official Journal of the European Union on 7 June 2021 and is available here: https://eur-lex.europa.eu/legal-content/SK/TXT/?uri=uriserv%3AOJ.L_.2021.199.01.0018.01.SLK&toc=OJ%3AL%3A2021%3A199%3ATOC