With the new standard contractual clause, the EU Commission has introduced an important instrument for international data transfer. But what are the implications of this decision for controllers and processors in Germany?
What is a standard contractual clause?
Data transfer outside the EU/EEA must comply with the level of protection stipulated in the GDPR. In the absence of an adequacy decision by the EU Commission, the contracting parties must guarantee this level themselves. The new standard contractual clause presents such a guarantee. It requires its users to comply with the GDPR level of protection.
Uniform new standard clause
Previously, data exporters had to assess whether and which security measures were necessary to ensure the level of protection on a case-by-case basis. The purpose of the new standard clause is to standardize this. It merges the previously existing clauses into one modular clause. Moreover, it contains provisions on liability. The parties are permitted to determine the place of jurisdiction and the applicable law themselves. This makes the conclusion of a contract more flexible, but it is also more time-consuming. In addition, the parties must contractually ensure that no legal provisions prevent them from fulfiling their obligations under the clause. This should enable the parties to incorporate their individual experience in dealing with legislation and authorities. However, this clause could still be overturned by the European Court of Justice (ECJ).
Replacement of previous standard contractual clause by the end of 2022
By December 27, 2022, companies are required to have replaced all previously concluded standard contractual clauses for data transfers to third countries with the new version of the clause. This yields two action steps that companies should take now.
- First, it is necessary to examine which data are transmitted on the basis of previous clauses.
- Companies should then urge their contracting parties in third countries to agree to the new standard clause.
Indeed, the conclusion can be extremely time-consuming due to the necessary risk assessment and negotiations on appropriate measures. We are happy to support you in properly assessing the risk and finding GDPR-compliant measures.