Today, Friday 4 June 2021, the European Commission adopted two modernised sets of standard processing agreements:
(a) A data processing agreement for use between controllers and processors; and
(b) A processing agreement for transfer of personal data to third countries using standard contractual clauses (SCCs).
An important aspect of the new SCCs is that the Annex enables the parties to “combine the general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern processing chains. In addition to the general clauses, controllers and processors should select the module applicable to their situation, so as to tailor their obligations under the standard contractual clauses to their role and responsibilities in relation to the data processing in question.
An equally important aspect is the warranting by the data exporter and data importer on there being no reason to believe that the data importer is prevented from fulfilling its obligations under the SCCs. The warranty is based on an assessment of the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities as well as specific circumstances of the transfer.
For data controllers and data processors that are currently using previous sets of standard contractual clauses, a transition period of 18 months is provided.
The modernized SCCs builds on the verdict of the CJEU judgment in Schrems II applying a risk based approach to transfers of personal data to third countries.
The approach requires knowledge of:
(a) the laws and practices in the third country of destination;
(b) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved, transmission channels used, type of recipient; the purpose of processing; the categories, format of the transferred personal data, the economic sector in which the transfer occurs and the storage location as well as intended onward transfers; and
(c) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under the SCCs, including measures applied during transmission and to the processing of the personal data in the country of destination.
For data exporters and data importers to comply with the warranting requirement risk assessments needs to be updated from the above and supplemented with solid contractual and technical measures relevant to the specific transfer.
Find the modernized standard DPA and new SCCs here