Data protection (GDPR): transfer of personal data to third countries and modernised standard contractual clauses

• Compliance/Data Protection/ESG
• IP-IT
• SME

While transferring personal data to third countries, it is important to ensure appropriate data protection under applicable laws, including the General Data Protection Regulation (the GDPR) of the European Union.

Before transferring personal data to any third country, we would recommend:

• checking whether such third country is included in so called adequacy decisions of the European Commission as a country which ensures an adequate level of protection,

• if not – applying the modernised standard contractual clauses for the transfer of personal data to third countries.

Taking into account the recent trends in globalization of business processes, in practice there are a lot of cross-border transfers of personal data, including the data which is stored on servers in different countries. According to the General Data Protection Regulation (the GDPR) it is essential to ensure  appropriate data protection in case of personal data transfer from the European Economic Area (EEA) to any third countries, including onward transfers of personal data from one third country to another third country. By the way, the EEA includes 27 member states of the European Union as well as Norway, Liechtenstein and Iceland.

Third countries insuring adequate level of personal data protection

Before transferring personal data to any third country, first of all, it is recommended to check whether such third country is included in so called adequacy decisions of the European Commission as a country which ensures an adequate level of data protection. For instance, the European Commission recognised  Switzerland, the United Kingdom, Japan and some other countries as providing adequate protection. Besides, third countries may be excluded by the European Commission from its adequacy decisions if, upon results of a periodic review, the Commission makes a conclusion that such countries no longer ensure an adequate level of protection.

Modernised standard contractual clauses as appropriate safeguards

In case of absence of a relevant adequacy decision, personal data may be transferred to a third country only in case appropriate safeguards are provided. For instance, such safeguards may include signing a contract with the recipient of personal data based on the standard contractual clauses approved by the European Commission.

In particular, on 4 June 2021 the European Commission approved modernised standard contractual clauses for the transfer of personal data to third countries. These clauses can be used by personal data exporters and importers to demonstrate compliance with data protection requirements, without the need to obtain a prior authorization (for the data transfer or the contractual clauses used) from a data protection authority. Besides, on 25 May 2022 the European Commission provided its practical guidance on the use of these new standard contractual clauses.

After 27 December 2022 it will no longer be possible to rely on the previous version of standard contractual clauses in order to lawfully transfer personal data to third countries. By the way, the modernised standard contractual clauses for the transfer of personal data to third countries can be used by personal data controllers or processors that are subject to the GDPR in order to transfer personal data to controllers or processors outside the EEA whose activities are not subject to the GDPR. As we mentioned in our previous blog “Data protection (GDPR): importance for companies outside the EU“, a company, which is not based in the EEA, is subject to the GDPR and has to comply with its requirements, if such company processes personal data of people who are in the EEA and its data processing activities are related to:

• the offering of goods or services to data subjects in the EU/EEA (irrespective whether a payment is required from such data subjects), or

• the monitoring of their behaviour which takes place within the EU/EEA.

Thus, such non-EEA companies can also use the abovementioned standard contractual clauses.

In order to apply such modernised standard contractual clauses for the transfer of personal data to third countries, the parties shall choose a relevant module which concerns their particular situation (e.g. Module 1 regarding data transfer from “Controller to Controller”, Module 2 “Controller to Processor”, Module 3 “Processor to Processor”, Module 4 “Processor to Controller”). Besides, the parties must properly complete all the annexes to the abovementioned standard contractual clauses, inter alia, with required information on each of the specific personal data transfers, for instance: the roles of the parties (i.e. as a data exporter and a data importer), description of the purposes of each individual personal data transfer which will take place under the contract, categories of data subjects whose personal data is transferred, categories of personal data transferred, the safeguards and restrictions applied to protect sensitive data, the nature of personal data processing, properly identified competent supervisory authority, specific description of technical and organisational measures implemented by the data importers to ensure an appropriate level of personal data security, etc.

Conclusions

While transferring personal data to third countries, it is important to ensure appropriate data protection under applicable laws, including the General Data Protection Regulation (the GDPR). Before transferring personal data to any third country, we would recommend:

• checking whether such third country is included in so called adequacy decisions of the European Commission as a country which ensures an adequate level of protection,

• if not – applying the modernised standard contractual clauses for the transfer of personal data to third countries.