Transferring Personal Data Outside of the EEA

Emily MartinEmily Martin
3 min read

The blog focuses on Article 28 of the GDPR, which outlines requirements for data processors in the context of data transfers outside the European Economic Area (EEA) in accordance with the GDPR principles. One of the methods to legitimize such transfers is through the use of standard contractual clauses (SCCs).

While SCCs are a widely used mechanism for ensuring compliance with data protection regulations, it is important to note that they were drafted before the GDPR came into effect and may not explicitly cover all the specific requirements outlined in Article 28 and the GDPR principles. However, SCCs do provide a comprehensive framework for addressing data protection obligations and establishing appropriate safeguards for international data transfers in line with the GDPR principles.

It's important for organizations to understand the specific requirements of Article 28 and the GDPR principles and ensure that their contracts with data processors, including the SCCs, adequately address these obligations. Additionally, organizations should regularly review and update their contractual arrangements to align with evolving data protection laws and regulations while adhering to the GDPR principles.

While SCCs provide a valuable tool for facilitating compliant data transfers, organizations should also consider other relevant safeguards and mechanisms, such as conducting data protection impact assessments (DPIAs) and implementing technical and organizational measures to ensure the protection of personal data during international transfers, as required by the GDPR principles.

So, what can you do?

Indeed, you've correctly pointed out that the standard contractual clauses (SCCs) must be used verbatim without any modifications. This means that parties cannot alter the wording of the SCCs, even if the changes have no material effect on the interpretation. However, it is possible to include additional clauses or incorporate the SCCs into a broader contract, as long as those clauses do not alter the effect of the model clauses.

When it comes to outsourcing data processing to processors outside the EEA and transferring personal data, relying solely on the SCCs may not be sufficient. There are certain gaps between Article 28 of the GDPR and the SCCs that need to be addressed. Some of these gaps include:

  1. Duration of processing: The SCCs do not explicitly address the duration of processing, and it may be necessary to include additional provisions in the contract to define the duration of processing activities.

  2. Confidentiality commitment: The SCCs do not contain a specific requirement for the data importer to commit to confidentiality. It may be necessary to add clauses in the contract to ensure the confidentiality of the transferred data.

  3. Support for data subject requests: The SCCs do not explicitly require the data importer to support the data controller in responding to data subject requests. It may be necessary to include provisions in the contract to ensure cooperation in handling such requests.

  4. Data breach response: The SCCs do not fully address the timing and cooperation requirements related to data breaches. It is important to include provisions in the contract that align with the data breach notification and response obligations under the GDPR.

  5. Data protection impact assessment (DPIA): The SCCs do not specifically address the involvement of the processor in a data protection impact assessment (DPIA). It may be necessary to include provisions in the contract to ensure the processor's participation in DPIA processes where applicable.

  6. Audit requirements: The SCCs may not cover all audit requirements. Additional clauses can be added to the contract to address the audit rights and obligations of the parties.

  7. Onward transfer of data: The SCCs primarily focus on the transfer of data from the data exporter to the data importer. If there is a need for onward transfer of data by the data importer, additional safeguards and contractual provisions may be necessary to ensure compliance with data protection requirements.

Supplementing the SCCs with additional contractual provisions that address these gaps can help ensure GDPR compliance and that the data transfer arrangement complies with the requirements of Article 28 of the GDPR and provides adequate protection for personal data.

0
Subscribe to my newsletter

Read articles from Emily Martin directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Emily Martin
Emily Martin

I'm a longstanding GDPR/data protection/privacy specialist with huge experience of both in-house and private practice, gained working across a range of sectors including hi-tech science, media, publishing, higher education and IT.