COMMISSION IMPLEMENTING DECISION (EU) …/…
of 4.6.2021
on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)[1], and in particular Article 28(7) and Article 46(2)(c) thereof,
Whereas:
(1) Technological developments are facilitating cross-border data flows necessary for the expansion of international cooperation and international trade. At the same time, it is necessary to ensure that the level of protection of natural persons guaranteed by Regulation (EU) 2016/679 is not undermined where personal data is transferred to third countries, including in cases of onward transfers[2]. The data transfer provisions in Chapter V of Regulation (EU) 2016/679 are intended to ensure the continuity of that high level of protection where personal data is transferred to a third country[3].
(2) Pursuant to Article 46(1) of Regulation (EU) 2016/679, in the absence of an adequacy decision by the Commission pursuant to Article 45(3), a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses adopted by the Commission pursuant to Article 46(2)(c).
(3) The role of standard contractual clauses is limited to ensuring appropriate data protection safeguards for international data transfers. Therefore, the controller or processor transferring the personal data to a third country (the ‘data exporter’) and the controller or processor receiving the personal data (the ‘data importer’) are free to include those standard contractual clauses in a wider contract and to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects. Controllers and processors are encouraged to provide additional safeguards by means of contractual commitments that supplement the standard contractual clauses[4]. The use of the standard contractual clauses is without prejudice to any contractual obligations of the data exporter and/or importer to ensure respect for applicable privileges and immunities.
(4) Beyond using standard contractual clauses to provide appropriate safeguards for transfers pursuant to Article 46(1) of Regulation (EU) 2016/679, the data exporter has to fulfil its general responsibilities as controller or processor under Regulation (EU) 2016/679. Those responsibilities include an obligation of the controller to provide data subjects with information about the fact that it intends to transfer their personal data to a third country pursuant to Article 13(1)(f) and Article 14(1)(f) of Regulation (EU) 2016/679. In the case of transfers pursuant to Article 46 of Regulation (EU) 2016/679, such information must include a reference to the appropriate safeguards and the means by which to obtain a copy of them or information where they have been made available.
(5) Commission Decisions 2001/497/EC[5] and 2010/87/EU[6] contain standard contractual clauses to facilitate the transfer of personal data from a data controller established in the Union to a controller or processor established in a third country that does not offer an adequate level of protection. Those decisions were based on Directive 95/46/EC of the European Parliament and of the Council[7].
(6) Pursuant to Article 46(5) of Regulation (EU) 2016/679, Decision 2001/497/EC and Decision 2010/87/EU remain in force until amended, replaced or repealed, if necessary, by a Commission decision adopted pursuant to Article 46(2) of that Regulation. The standard contractual clauses in the decisions required updating in the light of new requirements in Regulation (EU) 2016/679. Moreover, since the decisions were adopted, the digital economy has seen significant developments, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains, and evolving business relationships. This calls for modernisation of the standard contractual clauses to reflect those realities better, by covering additional processing and transfer situations, and to allow a more flexible approach, for example with respect to the number of parties able to join the contract.
(7) A controller or processor may use the standard contractual clauses set out in the Annex to this Decision to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to a processor or controller established in a third country, without prejudice to the interpretation of the notion of international transfer in Regulation (EU) 2016/679. The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as it takes place within the Union.
(8) Given the general alignment of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 of the European Parliament and of the Council[8], it should be possible to use the standard contractual clauses also in the context of a contract, as referred to in Article 29(4) of Regulation (EU) 2018/1725 for the transfer of personal data to a sub‑processor in a third country by a processor that is not a Union institution or body, but which is subject to Regulation (EU) 2016/679 and which processes personal data on behalf of a Union institution or body in accordance with Article 29 of Regulation (EU) 2018/1725. Provided the contract reflects the same data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) Regulation (EU) 2018/1725, in particular by providing sufficient guarantees for technical and organisational measures to ensure that the processing meets the requirements of that Regulation, this will ensure compliance with Article 29(4) of Regulation (EU) 2018/1725. In particular, that will be the case where the controller and processor use the standard contractual clauses in Commission Implementing Decision on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council[9].
(9) Where the processing involves data transfers from controllers subject to Regulation (EU) 2016/679 to processors outside its territorial scope or from processors subject to Regulation (EU) 2016/679 to sub‑processors outside its territorial scope, the standard contractual clauses set out in the Annex to this Decision should also allow to fulfil the requirements of Article 28(3) and (4) of Regulation (EU) 2016/679.
(10) The standard contractual clauses set out in the Annex to this Decision combine general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern processing chains. In addition to the general clauses, controllers and processors should select the module applicable to their situation, so as to tailor their obligations under the standard contractual clauses to their role and responsibilities in relation to the data processing in question. It should be possible for more than two parties to adhere to the standard contractual clauses. Moreover, additional controllers and processors should be allowed to accede to the standard contractual clauses as data exporters or importers throughout the lifecycle of the contract of which they form a part.
(11) In order to provide appropriate safeguards, the standard contractual clauses should ensure that the personal data transferred on that basis is afforded a level of protection essentially equivalent to that guaranteed within the Union[10]. With a view to ensuring transparency of processing, data subjects should be provided with a copy of the standard contractual clauses and be informed, in particular, of the categories of personal data processed, the right to obtain a copy of the standard contractual clauses, and any onward transfer. Onward transfers by the data importer to a third party in another third country should be allowed only if the third party accedes to the standard contractual clauses, if the continuity of protection is ensured otherwise, or in specific situations, such as on the basis of the explicit, informed consent of the data subject.
(12) With some exceptions, in particular as regards certain obligations that exclusively concern the relationship between the data exporter and data importer, data subjects should be able to invoke, and where necessary enforce, the standard contractual clauses as third-party beneficiaries. Therefore, while the parties should be allowed to choose the law of one of the Member States as governing the standard contractual clauses, that law must allow for third‑party beneficiary rights. In order to facilitate individual redress, the standard contractual clauses should require the data importer to inform data subjects of a contact point and to deal promptly with any complaints or requests. In the event of a dispute between the data importer and a data subject who invokes his or her rights as a third-party beneficiary, the data subject should be able to lodge a complaint with the competent supervisory authority or refer the dispute to the competent courts in the EU.
(13) In order to ensure effective enforcement, the data importer should be required to submit to the jurisdiction of such authority and courts, and to commit to abide by any binding decision under the applicable Member State law. In particular, the data importer should agree to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. In addition, the data importer should have the option of offering data subjects the opportunity to seek redress before an independent dispute resolution body, at no cost. In line with Article 80(1) of Regulation (EU) 2016/679, data subjects should be allowed to be represented by associations or other bodies in disputes against the data importer if they so wish.
(14) The standard contractual clauses should provide for rules on liability between the parties and with respect to data subjects, and rules on indemnification between the parties. Where the data subject suffers material or non-material damage as a consequence of any breach of the third‑party beneficiary rights under the standard contractual clauses, he or she should be entitled to compensation. This should be without prejudice to any liability under Regulation (EU) 2016/679.
(15) In the case of a transfer to a data importer acting as a processor or sub-processor, specific requirements should apply in accordance with Article 28(3) of Regulation (EU) 2016/679. The standard contractual clauses should require the data importer to make available all information necessary to demonstrate compliance with the obligations set out in the clauses and to allow for and contribute to audits of its processing activities by the data exporter. With respect to the engagement of any sub-processor by the data importer, in line with Article 28(2) and (4) of Regulation (EU) 2016/679, the standard contractual clauses should in particular set out the procedure for general or specific authorisation from the data exporter and the requirement for a written contract with the sub-processor ensuring the same level of protection as under the clauses.
(16) It is appropriate to provide different safeguards in the standard contractual clauses that cover the specific situation of a transfer of personal data by a processor in the Union to its controller in a third country and reflect the limited self-standing obligations for processors under Regulation (EU) 2016/679. In particular, the standard contractual clauses should require the processor to inform the controller if it is unable to follow its instructions, including if such instructions infringe Union data protection law, and require the controller to refrain from any actions that would prevent the processor from fulfilling its obligations under Regulation (EU) 2016/679. They should also require the parties to assist each other in responding to enquiries and requests from data subjects under the local law applicable to the data importer or, for data processing in the Union, under Regulation (EU) 2016/679. Additional requirements to address any effects of the laws of the third country of destination on the controller’s compliance with the clauses, in particular how to deal with binding requests from public authorities in the third country for disclosure of the transferred personal data, should apply where the Union processor combines the personal data received from the controller in the third country with personal data collected by the processor in the Union. Conversely, no such requirements are justified where the outsourcing merely involves the processing and transfer back of personal data that has been received from the controller and in any event has been and will remain subject to the jurisdiction of the third country in question.
(17) The parties should be able to demonstrate compliance with the standard contractual clauses. In particular, the data importer should be required to keep appropriate documentation for the processing activities under its responsibility and to inform the data exporter promptly if it is unable to comply with the clauses, for whatever reason. In turn, the data exporter should suspend the transfer and, in particularly serious cases, have the right to terminate the contract, insofar as it concerns the processing of personal data under standard contractual clauses, where the data importer is in breach of the clauses or unable to comply with them. Specific rules should apply where local laws affect compliance with the clauses. Personal data that has been transferred prior to the termination of the contract, and any copies thereof, should at the choice of the data exporter be returned to the data exporter or destroyed in their entirety.
(18) The standard contractual clauses should provide for specific safeguards, in particular in the light of the case law of the Court of Justice[11], to address any effects of the laws of the third country of destination on the data importer’s compliance with the clauses, in particular how to deal with binding requests from public authorities in that country for disclosure of the transferred personal data.
(19) The transfer and processing of personal data under standard contractual clauses should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses. In this context, laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 should not be considered as being in conflict with the standard contractual clauses. The parties should warrant that, at the time of agreeing to the standard contractual clauses, they have no reason to believe that the laws and practices applicable to the data importer are not in line with these requirements.
(20) The parties should take account, in particular, of the specific circumstances of the transfer (such as the content and duration of the contract, the nature of the data to be transferred, the type of recipient, the purpose of the processing), the laws and practices of the third country of destination that are relevant in light of the circumstances of the transfer and any safeguards put in place to supplement those under the standard contractual clauses (including relevant contractual, technical and organisational measures applying to the transmission of personal data and its processing in the country of destination). As regards the impact of such laws and practices on compliance with the standard contractual clauses, different elements may be considered as part of an overall assessment, including reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer.
(21) The data importer should notify the data exporter if, after agreeing to the standard contractual clauses, it has reason to believe that it is not able to comply with the standard contractual clauses. If the data exporter receives such notification or otherwise becomes aware that the data importer is no longer able to comply with the standard contractual clauses, it should identify appropriate measures to address the situation, if necessary in consultation with the competent supervisory authority. Such measures may include supplementary measures adopted by the data exporter and/or data importer, such as technical or organisational measures to ensure security and confidentiality. The data exporter should be required to suspend the transfer if it considers that no appropriate safeguards can be ensured, or if so instructed by the competent supervisory authority.
(22) Where possible, the data importer should notify the data exporter and the data subject if it receives a legally binding request from a public (including judicial) authority under the law of the country of destination for disclosure of personal data transferred pursuant to the standard contractual clauses. Similarly, it should notify them if it becomes aware of any direct access by public authorities to such personal data, in accordance with the law of the third country of destination. If, despite its best efforts, the data importer is not in a position to notify the data exporter and/or the data subject of specific disclosure requests, it should provide the data exporter with as much relevant information as possible on the requests. In addition, the data importer should provide the data exporter with aggregate information at regular intervals. The data importer should also be required to document any request for disclosure received and the response provided, and make that information available to the data exporter or the competent supervisory authority, or both, upon request. If, following a review of the legality of such a request under the laws of the country of destination, the data importer concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the third country of destination, it should challenge it, including, where appropriate, by exhausting available possibilities of appeal. In any event, if the data importer is no longer able to comply with the standard contractual clauses, it should inform the data exporter accordingly, including where this is the consequence of a request for disclosure.
(23) As stakeholder needs, technology and processing operations may change, the Commission should evaluate the operation of the standard contractual clauses in the light of experience, as part of the periodic evaluation of Regulation (EU) 2016/679 referred to in Article 97 of that Regulation.
(24) Decision 2001/497/EC and Decision 2010/87/EU should be repealed three months after the entry into force of this Decision. During that period, data exporters and data importers should, for the purpose of Article 46(1) of Regulation (EU) 2016)679, still be able to use the standard contractual clauses set out in Decisions 2001/497/EC and 2010/87/EU. For an additional period of 15 months, data exporters and data importers should, for the purpose of Article 46(1) of Regulation (EU) 2016)679, be able to continue to rely on standard contractual clauses set out in Decisions 2001/497/EC and 2010/87/EU for the performance of contracts concluded between them before the date of repeal of those decisions, provided that the processing operations that are the subject matter of the contract remain unchanged and that reliance on the clauses ensures that the transfer of personal data is subject to appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679. In the event of relevant changes to the contract, the data exporter should be required to rely on a new ground for data transfers under the contract, in particular by replacing the existing standard contractual clauses with the standard contractual clauses set out in the Annex to this Decision. The same should apply to any sub-contracting to a (sub-)processor of processing operations covered by the contract.
(25) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(1) and (2) of Regulation (EU) 2018/1725 and delivered a joint opinion on 14 January 2021[12], which has been taken into consideration in the preparation of this Decision.
(26) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 93 of Regulation (EU) 2016/679.
HAS ADOPTED THIS DECISION:
Article 1
1. The standard contractual clauses set out in the Annex are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of Regulation (EU) 2016/679 for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-)processor whose processing of the data is not subject to that Regulation (data importer).
2. The standard contractual clauses also set out the rights and obligations of controllers and processors with respect to the matters referred to in Article 28(3) and (4) of Regulation (EU) 2016/679, as regards the transfer of personal data from a controller to a processor, or from a processor to a sub-processor.
Article 2
Where the competent Member State authorities exercise corrective powers pursuant to Article 58 of Regulation (EU) 2016/679 in response to the data importer being or becoming subject to laws or practices in the third country of destination that prevent it from complying with the standard contractual clauses set out in the Annex, leading to the suspension or ban of data transfers to third countries, the Member State concerned shall, without delay, inform the Commission, which will forward the information to the other Member States.
Article 3
The Commission shall evaluate the practical application of the standard contractual clauses set out in the Annex on the basis of all available information, as part of the periodic evaluation required by Article 97 of Regulation (EU) 2016/679.
Article 4
1. This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. Decision 2001/497/EC is repealed with effect from [OPOCE, please insert date three months after the date in Article 4(1)].
3. Decision 2010/87/EU is repealed with effect from [OPOCE, please insert date three months after the date in Article 4(1)].
4. Contracts concluded before [OPOCE, please insert the same date as in Article 4(2) and (3)] on the basis of Decision 2001/497/EC or Decision 2010/87/EU shall be deemed to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 until [OPOCE, please add date 15 months from the date in Article 4(2) and (3)], provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
Done at Brussels, 4.6.2021
For the Commission
The President
Ursula VON DER LEYEN
[1] OJ L 119, 4.5.2016, p. 1.
[2] Article 44 of Regulation (EU) 2016/679.
[3] See also judgment of the Court of Justice of 16 July 2020 in Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (‘Schrems II’), ECLI:EU:C:2020:559, paragraph 93.
[4] Recital 109 of Regulation (EU) 2016/679.
[5] Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (OJ L 181, 4.7.2001, p. 19).
[6] Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5).
[7] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
[8] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39); see recital 5.
[9] C(2021)3701.
[10] Schrems II, paragraphs 96 and 103. See also Regulation (EU) 2016/679, recitals 108 and 114.
[11] Schrems II.
[12] EDPB EDPS Joint Opinion 2/2021 on the European Commission’s Implementing Decision on standard contractual clauses for the transfer of personal data to third countries for the matters referred to in Article 46(2)(c) of Regulation (EU) 2016/679.