Support Centre

You have out of 10 free articles left for the week

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: EDPB and EDPS adopt joint opinions on Commission's draft SCCs

The European Data Protection Board ('EDPB') and the European Data Protection Supervisor ('EDPS') issued, on 15 January 2021, a statement announcing that they had adopted joint opinions on two sets of the European Commision's draft Standard Contractual Clauses ('SCCs'), with one opinion on the draft SCCs for contracts between controllers and processors ('the Controller-Processor SCCs') and one opinion on the draft SCCs for the transfer of personal data to third countries ('the Third Country Transfer SCCs'). In particular, several amendments were requested in order to bring more clarity to the text, in particular in relation to the interplay between the two sets of SCCs, the so-called 'docking clause' which allows additional entities to accede to the SCCs, and other aspects relating to obligations for processors. Additionally, the EDPB and EDPS suggested that the Annexes to the SCCs clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity as any ambiguity would make it more difficult for controllers or processors to fulfil their obligations under the accountability principle.

Furthermore, the EDPB and the EDPS stated that the Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors. 

Moreover, the EDPB and the EDPS highlighted that the Third Country Transfer SCCs will replace the existing SCCs for international transfers that were adopted on the basis of Data Protection Directive (Directive 95/46/EC) and needed to be updated to bring them in line with GDPR requirements, as well as taking into account the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Judgment'), and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination impact compliance with the clauses, in particular in case of binding requests from public authorities for disclosure of personal data.

In general, the EDPB and the EDPS noted that they are of the opinion that the draft SCCs present a reinforced level of protection for data subjects. In particular, the EDPB and the EDPS welcomed the specific provisions intended to address some of the main issues identified in the Schrems II Judgment. Nevertheless, the EDPB and EDPS outlined that they are of the view that several provisions could be improved or clarified, such as the scope of the SCCs, certain third-party beneficiary rights, certain obligations regarding onward transfers, aspects of the assessment of third country laws regarding access to public data by public authorities, and the notification to the supervisory authority.

Furthermore, the EDPB and the EDPS invited the Commission to refer to the final version of the EDPB Recommendations on supplementary measures, should the final version of the recommendations be adopted before the Commission's SCC decision, noting that the recommendations were submitted for public consultation until 21 December 2020 and are still subject to possible further modifications on the basis of the results of the public consultation.

You can read the statement on the EDPS website here and the EDPB website here.