International data transfers: European Commission Standard Contractual Clauses
According to the General Data Protection Regulation (GDPR / GDPR), flows of personal data to countries outside the European Economic Area would be considered international data transfers. The European Economic Area, in addition to all the countries within the European Union, would include Liechtenstein, Iceland, and Norway. Therefore, in accordance with the provisions of Articles 44 et seq. GDPR, in order to carry out transfers to third countries, it is necessary to meet the requirements expressly established for this purpose.
When an international transfer of personal data to a third country is to be carried out, the first thing to check is whether the country is within the list of countries with an adequate level of protection. For this purpose, you can check the list in this link (please note that, in the case of the United States, this would only apply to entities adhering to the Privacy Shield). If the country is on this list, no different action is required when compared to a data transmission within the European Union.
Once it has been verified that the country is not included within this list, different possibilities can be found in article 46 GDPR to carry out this transfer legally. To this end, without prejudice to other possibilities, such as the Binding Corporate Rules, let’s focus on what is perhaps the most commonly used measure in practice: the European Commission’s standard contractual clauses.
Article 46 of the GDPR provides that the controller or processor may only transmit personal data to a third country if it has offered appropriate safeguards. In this sense, Art. 46.2.c establishes that it would be valid to sign standard data protection clauses adopted by the Commission. In addition, the following paragraph allows local data protection authorities to also approve standard clauses (however, at the time of writing this article, I am not aware that any data protection authority has approved any such clauses).
All this means is that it would be enough for both parties (the data exporter and the data importer) to sign these standard contractual clauses (without, however, neglecting any other data protection obligations, such as informing data subjects, etc.). As a result, depending on the specific situation, two different types of clauses can be signed:
EU controller to non-EU or EEA controller:
EU controller to non-EU or EEA processor:
Is it possible to edit the standard contractual clauses for international data transfers?
So far, everything seems pretty clear; but once we go into the exciting standard contract clauses, the question often arises as to whether they can be modified. This is because there are quite a few occasions when either party would prefer to replace some of their clauses or simply add new ones that are more in line with their interests. This is usually the case when we have companies with strict policies on their contractual models, so they would like to adapt the standard clauses to those models.
To this end, reference should be made to the fact that the clauses themselves have parts that need to be tailored (for example, when we need to identify the signatory parties or the information relating to the transfer). In these cases, it is clear that we need to include some personalised text in the clauses as necessary. However, in my view, there would be no possibility of modifying the clauses beyond this for the following reasons:
– Nature of the standard clauses: The standard contractual clauses are “standard”; if they could be modified, they would lose their nature. Let us bear in mind that this is a text drafted and approved by the European Commission in order to comply with the necessary guarantees, and therefore, any alteration would mean that we would deviate from what was expressly approved by the authority. The existence of standard clauses as a guarantee mechanism would be of no use if these could be freely modified.
– Express prohibition included in the standard clauses. The clauses themselves, in the 2004 and 2010 decisions, include a specific provision prohibiting the parties from modifying the signed clauses. This clearly shows the Commission’s willingness to have the clauses signed as they have been published and not subsequently modified.
– Criteria of the Information Commissioner Officer (ICO). The ICO published a document indicating that the use of any version of the clauses in which any slight change in the wording of the clauses has been made (even if this does not change the meaning of the clauses), would be considered not to be equivalent to the genuine standard clauses approved by the Commission. As a consequence, it would not be valid to automatically demonstrate compliance with the necessary safeguards.
–Criteria of the Spanish Data Protection Authority (in my experience). When Spain applied the previous 1999 Data Protection Act (LOPD), it included a general principle of authorization for international data transfers outside the EU, and, in order to get this authorisation, the parties had to sign the standard contractual clauses beforehand. According to my experience managing transfer authorization procedures, the Spanish DPA did not admit a single change in the standard contractual clauses (even format changes). Otherwise, the refusal of the request for authorization was automatic (as I said, this is based on my personal experience; not on any official guidance issued by the Spanish DPA).
Therefore, if we take into account all the factors indicated above, the conclusion would be that these clauses should not be modified or altered. If you want to include some of the optional clauses that some of the models include in the final part (on liability and so on), you should add them as an annex. Without prejudice to the foregoing, there is nothing to prevent us from signing additional contracts to address any gap(s) that were not included in these clauses; provided that it does not imply an alteration of them.