New Draft Standard Contractual Clauses for Personal Data Transfers Outside EEA and Domestic Controller to Processor Relationships

25 November 2020

On 12 November 2020, the European Commission published two draft implementing decisions: (1) one containing a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the SCCs), and (2) one containing a draft of new standard contractual clauses for controller-processor data processing agreements (DPAs) pursuant to Article 28(7) of the GDPR. The new SCCs are awaited particularly after the Court of Justice of the European Union declared invalid the EU-U.S. Privacy Shield in its Schrems II ruling in July 2020, although it remains uncertain whether such new SCCs will be able to overcome the incompatible legislation in states where the data are imported (such as the U.S. legislation allowing for broad surveillance of electronic communication without appropriate privacy safeguards for European data subjects).

Citizens and other stakeholders have until 10 December 2020 to provide feedback on the above-mentioned draft implementing decisions. After this date, the relevant committee will vote to accept or reject the draft decisions.

The published draft implementing decision on SCCs includes inter alia the Annex containing the actual clauses which follows a modular approach to cater to various cross-border transfer scenarios. Parties to a transfer outside the EU may base their personal data transfer on the general clauses and the respective module applicable to their processing situation at issue.

The new clauses can be used for the transfer of personal data (1) from controllers in the EU to controllers in a third country, (2) from controllers in the EU to processors in a third country, (3) from processors in the EU to a sub-processor in a third country, (4) from controllers located in a third country subject to the GDPR to processors outside the territorial scope of application of the GDPR, and (5) from processors located in a third country subject to the GDPR to sub-processors outside the territorial scope the GDPR.

The proposed SCCs are issued under the GDPR. Their coverage is wider than that of the old SCCs, since the new clauses cover additional processing and transfer situations and use a more flexible approach, for example, with respect to the number of parties able to join the contract.

The new clauses do not relieve the parties to the processing arrangement from assessing and addressing the likely consequences of the third country’s laws. In effect, the new SCCs require the parties to perform a mini adequacy determination to evaluate whether the third country’s laws would prevent the data importer from complying with the SCCs in practice.

The SCCs newly require that data subjects be provided with a copy of the new clauses upon request and are informed, in particular, of (a) any change of purpose of personal data processing and of (b) the identity of any third party to which the personal data will be disclosed. The SCCs also newly (1) provide that any onward transfer by the data importer to a recipient in another third country requires that either such recipient joins the SCCs or the data subject gives explicit, informed consent; (2) describe in more detail the liability between the parties and towards the data subjects and the indemnification obligations between the parties to the transfer; (3) cover specific processing situations such as the merger of non-GDPR personal data with GDPR personal data by a data processor; (4) explicitly require a sub-processor to ensure compliance with the instructions of both the processor and the controller, etc.

The European Commission separately proposed certain standard contractual clauses to be used between controllers and processors, as part of a DPA. These SCCs are the Commission’s response to Article 28(7) of the GDPR, which allows the European Commission to “lay down standard contractual clauses” for the contractual safeguards required by Article 28(3) and (4) of the GDPR when a data controller engages a data processor to carry out specific processing activities on its behalf. The European Commission has set forth these new SCCs for DPAs to standardize the data protection-related rights and obligations of the respective parties even for transfers that do not cross the EEA borders.

Cookie name	Type and function	Source	Storage period
SERVERID	Strictly necessary cookie – Ensures that the user uses the same server during a particular visit/session. The cookie sets the infrastructure provider and represents a functional element.	Solidpixels	Session
CMS-(ID)-FE	Strictly necessary cookie - Stores a unique identifier for a given session on the website	Solidpixels	Session
CMS-(ID)-FE-language	Strictly necessary cookie - Stores a unique identifier for the selected language of the website	Solidpixels	1 day
CMS-(ID)-FE-cookies_allow_ac	Strictly necessary cookie - The cookie stores a visitor's consent settings for the collection of analytical data about his/her movement on the website.	Solidpixels	5 years
CMS-(ID)-FE-cookies_allow_mc	Strictly necessary cookie - The cookie stores a visitor's consent settings for the data collection for marketing purposes.	Solidpixels	5 years
CMS-(ID)-FE-cookies_notification	Strictly necessary cookie - Stores information whether the cookie bar has been confirmed in the past.	Solidpixels	5 years

Cookie name	Type and function	Source	Storage period
_ga	Analytical cookie – The cookie is used to distinguish unique/individual users by assigning a randomly generated number as an identifier. It is included in every page request on your website and is used to calculate visitor data, campaign sessions for page analytics reporting.	Google	2 years
_gat	Analytical cookie – A _gat cookie is used to limit analytics requests in order to restrict the requests sent from your browser to Google services. Cookies have several limitations that can cause excessive reporting of the number of users.	Google	1 day
_gid	Analytical cookie – Registers a unique identifier that is used to generate statistical data about how a visitor uses the website.	Google	1 day
_hjlncludedInSample	Analytical cookie – Used for web analysis by HotJar, identifies the visitor during the session	HotJar	Session
_hjid	Analytical cookie – stores a unique identifier of the website visitor	Hot Jar	1 year
_dc_gtm_UA-*	Analytical cookie – Applies when Google Analytics are embedded via Google Tag Manager. It has the same function as _gat.	Google	Session

Cookie name	Type and function	Source	Storage period
_fbp	Marketing cookie – used to track visits across websites	Facebook	3 months
_gcl_au	Marketing cookie – determines advertising effectiveness on the websites visited by a user	Google Adsense	3 months
NID	Marketing cookie – stores a unique identifier that identifies a returning user and is used for advertising targeting	Google	6 months