Anyone wishing to transfer personal data from the EU to the US or other third countries must rely on standard contractual clauses (SCCs), especially since the end of the EU/US Privacy Shield, in order not to risk a violation of data protection law. The eco Association and the international law firm Fieldfisher provide assistance with the the tool mySCCcreator, which compiles the desired clauses at the click of a mouse.
The USA and numerous other third countries do not offer a level of data protection that is adequate for the GDPR. With regard to the US, the highest European court stated this explicitly last summer, overturning the EU/US Privacy Shield. Since then, this important legal basis for the transfer of data from EU countries to the USA has been lacking. European companies with branches in the USA or companies that wanted to use service providers on the other side of the Atlantic have been uncertain – how can they send personal data across the Atlantic without risking a fine?
The answer is the Standard Contractual Clauses adopted by the EU Commission, which are in practice the main legal basis for such international data transfers.
Contract templates for individual requirements
The EU Commission has just clarified what such contractual clauses should look like. It drafted and has now published new Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries.
In contrast to the previous Standard Contractual Clauses, which offered two controller-to-controller sets and one controller-to-processor set, the new Standard Contractual Clauses take a modular approach. The clauses can be used for the following data transfers:
Module 1: From a controller to another controller (C2C)
Module 2: From a controller to a processor (C2P)
Module 3: From a processor to a processor (P2P)
Module 4: From a processor to its appointing controller (P2C)
In order to provide eco members and other companies with concrete assistance in formulating legally compliant standard contractual clauses, the eco Association and the law firm Fieldfisher have now published the mySCCcreator tool. This gives everyone the opportunity, in just a few steps, to put together the right contract template with the clauses relevant to them. A combination of several modules can also be selected by providing several options in answering the corresponding questions, thus covering different data transmission constellations. After answering the questions, the finished templates can be downloaded in DOC format.
Please note that the Fieldfisher mySCCcreator is for information purposes only and in particular its use does not constitute legal advice. It should be noted that the document provided does not constitute a legally binding agreement, e.g. the annexes to the standard contractual clauses still need to be completed by the parties involved in each individual case. Annex 1 contains the description of the data transfer; Annex 2 deals with the technical and organisational security measures for the protection of the transferred data; and Annex 3 contains a list of sub-processors and is provided for the case that the data importer has to obtain a special authorisation from the data exporter to appoint sub-processors. For specific legal questions, we recommend that you seek advice from an expert.