By Rebecca Morgan

|

Published 01 June 2022

Overview

The European Commission published a Questions and Answers (“Q&A”) document on the Standard Contractual Clauses (“SCCs”) on 25 May 2022, coinciding with the fourth anniversary of the General Data Protection Regulation (“GDPR”) coming into force. The Q&A was, according to the European Commission, developed to provide practical guidance on the use of the SCCs and to assist stakeholders with their GDPR compliance efforts.\nThe European Commission's intention is to update the Q&A document as new questions arise – the Q&As at present are based on feedback received by the European Commission on stakeholders’ experience with using the SCCs in the first months after their adoption (4 June 2021). The full Q&A document can be found here.

The European Commission published a Questions and Answers (“Q&A”) document on the Standard Contractual Clauses (“SCCs”) on 25 May 2022, coinciding with the fourth anniversary of the General Data Protection Regulation (“GDPR”) coming into force. The Q&A was, according to the European Commission, developed to provide practical guidance on the use of the SCCs and to assist stakeholders with their GDPR compliance efforts.

The European Commission’s intention is to update the Q&A document as new questions arise – the Q&As at present are based on feedback received by the European Commission on stakeholders’ experience with using the SCCs in the first months after their adoption (4 June 2021). The full Q&A document can be found here.

Content of the Q&As

The Q&As document contains 44 questions and answers and is divided into three parts as follows:

  1. Standard Contractual Clauses: this part consists of (a) general questions on what the SCCs are, (b) questions relating to the SCCs’ signature requirements and modifications, and relationships with other contractual provisions, and (c) questions relating to the “docking clause”, and changes to the parties on the SCCs;
  1. Standard Contractual Clauses between controllers and processors: this part sets out questions and answers on e.g. whether there are any requirements on the processor providing notice to the controller of a data breach and questions relating to sub-processors; and
  1. Standard Contractual Clauses for data transfers to third countries: this part includes questions on (a) the reasons for modernisation of the SCC and what is new, (b) the scope of application and transfer scenarios, (c) questions from individuals when their data is transferred based on the SCCs, (d) obligations of data exporters and importers, and (e) local laws and government access.

While largely dealing with general queries on the SCCs, Part 1 of the Q&As is particularly helpful with providing guidance on the “docking clause” that did not exist in previous versions of the SCCs. The “docking clause” is an optional clause which allows for additional parties to join a contract incorporating the SCCs between two or more parties if the existing parties consent to this. While there are no formal requirements to document the consent in the SCCs (but this should instead be done in accordance with applicable national law governing the SCCs), the answers make it clear that the new party will need to complete the Annexes and sign Annex I of the SCCs in order for the accession to be effective – this means that amending the main contract into which the SCCs are incorporated is not sufficient to add parties to the SCCs.

Part 2 dealing with questions on the controller to processor SCCs is the shortest part of the Q&As, which signals that stakeholders are generally comfortable with how to use these SCCs. Out of the six questions in this part, two deal with sub-processors – the first on whether the processor is required to provide the names of its sub-processors to the controller, and the second on what happens if the controller objects to changes of sub-processors if a general authorisation to engage sub-processors was given.

The bulk of the questions and answers are contained in Part 3, which is not entirely surprising given the significant updates to the SCCs last year (please see here for our article from June 2021 discussing these changes). The first few questions and answers in the Q&A document deal with why the SCCs were updated, what the main novelties of the new ones are and when organisations should transition to using the new SCCs. The Q&A document also gives guidance on the four different modules to the SCCs and in which circumstances to use them, as well as how to comply with the Schrems II judgment (C-311/18) when using the new SCCs.

More questions on the use of the SCCs are likely to materialise – particularly as we get closer to the end of the transition period for organisations to replace their previous SCCs with the 2021 version. Agreements to transfer data that are concluded after 27 September 2021 must be based on the new SCCs, and for those entities that entered into a transfer agreement based on the previous SCCs before 27 September 2021, there is a transition period until 27 December 2022 to replace the previous SCCs with the new SCCs. We would anticipate that the European Commission will update the Q&A at the latest when the transition period comes to an end, if not sooner.

Authors