The European Data Protection Board (the EDPB) has been actively cooperating with the National Supervisory Authorities in an effort to implement a more harmonized approach regarding standard contractual clauses (SCCs) for contracts between controllers and processors used internationally.
The Legal Framework
The SCCs are used when the data controller or data processor transfers personal data to a third country (meaning a country outside European Union) or international organisation, in which case a legal contract is formed between the two parties to provide the necessary safeguards, according to the obligations set out in the GDPR for the protection of personal data. The SCCs are standard sets of contractual terms and conditions, which are binding for both the sender and the receiver of personal data. The European Commission has issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or the European Economic Area (EEA).
Their role is to provide a level of protection for personal data leaving the EEA through contractual obligations, in compliance with the GDPR’s requirements concerning territories which are not considered to offer adequate protection to the rights and freedoms of data subjects.
Improving the Standard Contractual Clauses
The GDPR’s enforcement has revealed the need for harmonization in many areas which involve the processing of personal data. Use of SCCs is particularly important in regards to data protection because it promotes a harmonized approach concerning the processing of personal data of natural persons internationally, allowing for the consistent implementation of the GDPR’s specific provisions. The EDPB has been quick to advise National Supervisory Authorities on the matter in order to promote a high level of data protection and homogeneity.
On December 2019, the EDPB published the final version of the Danish Supervisory Authority’s SCCs for contracts between controllers and processors. For the formulation of these SCCs, the Danish Supervisory Authority had adopted a number of recommendations from EDPB on matters such as:
- the rights and obligations of data controllers;
- confidentiality and security of processing;
- the procedure by which a sub-processor is to be engaged;
- the transfer of data to third countries or international organisations, etc.
In conjunction with the suggestions made by the EDPB, the standard processor agreement’s purpose is to facilitate organisations to comply with the obligations set forth by the GDPR. However, it should be noted that the SCCs should further specify the provisions of the GDPR e.g. with regard to the assistance provided by the processor to the controller and not just restate them, as they are.
This particular set of SCCs represent an example, to ensure correct and consistent application of the GDPR provisions. While the Danish Supervisory Authority’s set of SCCs can be used as guidance, this does not prevent parties from adding additional safeguards in their contracts, provided that they do not contradict, directly or indirectly, with the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects. As such, they may serve as an example for contracts to be used by data controllers in Cyprus.
For further information on the SCC of Danish Supervisory Authority, please visit here.
he EDPB’s active involvement with the National Supervisory Authorities helps significantly with the establishment of high-quality standards of data protection in every Member State. It represents a step towards more harmonised application and increased protection for personal data including transfer of such data. However, it is important, firstly, for the European Commission to renew or update its issued sets of SCCs based on the EDPB’s suggestions. Secondly, in accordance with the above, the Office of the Commissioner for personal data protection in Cyprus should publish its own set of SCCs for approval and suggestions by the EDPB.
Sets of SCCs issued by the European Commission can be found here.
It is crucial that data controllers always take legal advice before sharing any personal data to third countries or international organizations to ensure sufficient protection of personal data. Harris Kyriakides LLC, provides all the necessary and useful advice on all legal matters in relation to GDPR and personal data, including SCCs and other legal measures.