This article focuses on the legal aspects of transferring personal data of European Union citizens outside the European Union. It can be of interest, particularly having in mind cases handled by our law firm in the field of transferring personal data of patients of medical online platforms in telemedicine, in the machine collection of sensitive data using webscraping methods, and in the field of collecting and transferring data and creating databases of financial services users in broadly understood fintech sector. The problem is also significant from the point of view of clients of our law firm providing online gaming, online gambling, e-sports betting and e-betting services.
New standard contractual clauses
On 4 June 2021, the European Commission published revised standard contractual clauses (SCC) (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), OJ L 199, 7.6.2021, p. 31–61, later:‘Decision 2021/914’). Their origin is to be found in Chapter V of the GDPR (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, p. 1-88; later: ‘GDPR’), which sets out the conditions for transfer of EU citizens’ data to third countries, i.e. countries outside the European Economic Area (EEA). Such processing must comply with the general obligation of adequate data protection as set out in the GDPR; it follows a finding by the European Commission of an adequate European level of protection of personal data by the processor.
Grounds and rules of processing
The processing of personal data to third countries must be carried out with appropriate safeguards – the processor fulfils this obligation without the need to obtain prior authorisation from the relevant supervisory authority provided that it applies the standard contractual clauses defined in points c and d of Article 46 of the GDPR.
These clauses were amended by the previously mentioned Commission decision of 4 June 2021 in relation to processors that process data for entities or organisations located outside the EU and not subject to GDPR.
The amendment was dictated by the development of civilisation, digitisation, the multitude of data importers and the length of data processing chains, and thus the need to ensure more effective data protection for EU citizens. The previous legal act, Directive 95/46/EU of October 1995, turned out to be outdated and inadequate for solving the problems that have arisen in the field of personal data protection in the last two decades. The new regulation allows entities to include standard contractual clauses in contracts, as well as to extend them to ensure the best possible data protection. They emphasise that data may be transferred to a third country provided that the third party declares the use of the standard clauses. If the legal regulations of a country exclude the use of clauses, importing data to such country becomes unacceptable.
The regulation of the new SCCs also states the absolute primacy of their use in situations where they conflict with contractual provisions made by the processor.
In other parts, the regulation refers to the 1995 Directive, referring to its solutions, i.e. the necessity to obtain a citizen’s consent to data transfer, informing about the method and purpose of transfer, responsibility for incompatible processing or storing data only to the necessary extent.
Entry into force of the regulations
Decision on standard contractual clauses entered into force on the twentieth day following that of its publication, that is, on the 27th of June 2021 (article 4 section 1 of the Decision 2021/914). At the same time, the previous decisions concerning standard contractual clauses for the transfer of personal data to third countries were repealed with effect from 27th of September 2021 (article 4 section 2 and 3 of the Decision 2021/914). It does not mean, however, that using the standard contractual clauses established in previous decisions will be prohibited (it concerns the standard contractual clauses from 2 decisions: Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (Text with EEA relevance) (notified under document number C(2001) 1539) OJ L 181, 4.7.2001, p. 19–31 and Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (Text with EEA relevance) OJ L 39, 12.2.2010, p. 5–18). In case of using it in contracts concluded before 27th of September 2021, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards (article 4 section 4 of the Decision 2021/914) there is no obligation to exchange them for the new ones. In the preamble of the act, the possibility to use the old clauses is reserved for fifteen months, starting 27th of September 2021 (section 24 of the preamble).
Exemplary standard contractual clauses
Standard contractual clauses are listed in the annex to the Decision 2021/914. They are supplemented by the explanatory note to the annex, annex I, concerning list of parties, description of transfer and competent supervisory authority, as well as annex II, which concerns technical and organisational measures including technical and organisational measures to ensure the security of the data.
There are eighteen clauses that are split into four modules that regulate four possibilities of transfer: a) controller to controller, b) controller to processor, c) processor to processor and d) processor to controller. The clauses differ in content, depending on the module; there are also different options for specific clauses, that can become the part of the contract. They regulate, among others, sensitive data, onward transfers, security of processing, use of sub-processors, redress or governing law and choice of forum and jurisdiction.