EU: Commission publishes Q&A on SCCs
The European Commission published, on 25 May 2022, guidance outlining questions and answers ('Q&A') on the two sets of Standard Contractual Clauses ('SCCs'), on controllers and processors ('the Controller-Processor SCCs') and third-country data transfers ('the Data Transfer SCCs') respectively, as adopted by the European Commission on 4 June 2021. In particular, the Q&A aims to provide practical guidance on the use of the SCCs to assist companies with their compliance efforts and is based on feedback received from various stakeholders on their experience with using the new SCCs in the first months after their adoption.
Specifically, the Q&A addresses 44 questions regarding, among other things, technical contractual issues around signature, modification, and their relationship with other contractual provisions, as well as the functioning of the so-called docking clause. In addition, the Q&A contains a specific section dedicated to each set of SCCs. Notably, in the section on the Data Transfer SCCs, the Commission addresses the scope of data transfers for which the Data Transfer SCCs may be used, highlighting that they may not be used for data transfers to controllers or processors whose processing operations are directly subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') by virtue of Article 3 of the GDPR. Further to this point, the Q&A highlights that the Commission is in the process of developing an additional set of SCCs for this scenario, which will take into account the requirements that already apply directly to those controllers and processors under the GDPR.
Furthermore, the Q&A includes a section of questions addressing the obligations of data exporters and importers in which the Commission addresses, among other things, the liability scheme under SCCs. More specifically, the Q&A states that other clauses in the broader (commercial) contract (e.g. special rules on the distribution of liability, liability caps in the relationship between the parties) may not contradict or undermine liability schemes of the SCCs.
Additionally, the Q&A includes a set of questions on local laws and government access aimed at clarifying contracting parties' obligations under Clause 14 of the Data Transfer SCCs in relation to the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). Notably, the Q&A clarifies, among other things, that regarding the impact on compliance with the Data Transfer SCCs, the parties may consider different elements as part of an overall assessment, such as reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer. In this regard, the Q&A highlights that Clause 14 of the Data Transfer SCCs should not be read in isolation, but used together with the European Data Protection Board's Recommendations 01/2020 on measures that supplement transfer tools.
You can read the Q&A here.