July 11, 2021
On June 4th, 2021, the European Commission adopted revised standard contractual clauses for international data transfers (the “New SCCs”). The New SCCs were published officially on June 7th this year.
This is the third post in a series about practical aspects related to implementing the New SCCs. In this post, we focus on the notification obligations between the parties and, where applicable, between the parties and the relevant data controller. This post compares the notification obligations with those under the GDPR and sheds light on the new notification requirements that the parties to the SCCs should be aware of.
Under the New SCCs, there are additional notification requirements to supervisory authorities and data subjects. These additional notifications will be the subject of the next post.
The New SCCs are divided into 4 modules based on the position of the parties to the transfer under the GDPR –
Module (1) controller to controller;
Module (2) controller to processor;
Module (3) processor to processor; and,
Module (4) processor to controller.
Each module establishes a requirement on one of the parties, or both, to provide the other party with notifications in a number of situations as further detailed below.
Generally, the notification obligations apply to a processor toward a controller (in modules 2 and 4) or to an importer toward an exporter (in modules 1 and 3, where both parties are processors or controllers).
Notification Obligations Under the New SCCs
Inability to Follow Instructions: Modules 2 and 4 require processors (as importers or exporters) to notify the controllers if they are unable to follow the controllers’ processing instructions. The same obligation applies to the processor-importer under module 3 (processor to processor) toward the processor-exporter. Additionally, module 3 also requires the exporter to forward the notification to the relevant controller.
This is a different notification obligation, compared with the processor’s obligation under Article 28(3)(h) of the GDPR, which requires the processor to “immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.” Additionally, unlike Article 28, it applies to three contractual situations, not just to controller-processor engagement.
Data Breach Notification: Modules 2 and 4 require processors to notify the controller after becoming aware of any data breach concerning the personal data being processed under the agreement. Modules 1 and 3 impose the same obligation on the controller-importer toward the exporter. Compared with Article 33(2) of the GDPR, this is a new data breach notification obligation.
Inaccuracy of the Data: Modules 2 and 4 require processors to notify the controller upon becoming aware that the personal data received by them is inaccurate or has become outdated. A similar obligation exists in module 3, applying to the data importer, and in module 1, applying to both parties. The inaccuracy notification obligation establishes a new notification requirement on processors, and with regard to module 1, on both controllers.
This new notification obligation seems to correlate with the general requirement under recital 39 of the GDPR (“every possible step to be taken to ensure that personal data which is inaccurate is rectified or deleted”).
Outsourcing: Modules 2 and 3 require importers to notify the exporter, in writing, of any failure by a sub-processor in the fulfillment of the subprocessor’s obligations. This is a new obligation, compared with Article 28(4) of the GDPR, as such Article establishes full liability on processors for the performance of sub-processors obligations but does not require notification of such performance failure.
Additionally, under such modules, if the importer has acquired the approval of the relevant exporter of a pre-approved sub-processors list, a change in that list requires importers to notify the relevant controller. This notification requirement correlates with Article 28(2) of the GDPR.
Onward Transfer: under module 1, the controller-importer may disclose personal data to a third party located outside the EEA, only under certain interchangeable legal bases. If such onward transfer is based on the data subjects’ consent to the transfer, received by the controller-importer (in accordance with the legal basis set out under Clause 8.7(vi) of the New SCCs), then controller-importer must notify controller-exporter of such transfer.
Data Subjects’ Rights: Modules 2 and 3 require importers to notify the exporter of any requests received from a data subject. This is a new explicit notification obligation. It joins the general requirement under Article 28(3)(e) of the GDPR, which requires processors to assist controllers, by appropriate technical and organizational measures, in the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights.
We note that the new notification obligations correlate with the EDPB interpretation of the processor’s assistance duties, pursuant to Guidelines 7/2020 on the concepts of controller and processor in the GDPR.
Local Laws Affecting Compliance: across all modules, importers are required to notify exporters when they become subject to any law or practice that prevents them from fulfilling their obligations. Additionally, module 3 requires the exporter to forward the notification to the relevant controller.
This is a new notification obligation, which complements the obligation set out under Clause 14(c) of the New SCCs, requiring importers to continue to cooperate with exporters in ensuring compliance with the New SCCs, in relation to the assessment of local laws and practices of the country of destination.
Access Requests: across all modules, importers are required to notify the exporter, where possible, upon receipt of a legally binding request from a public authority for the disclosure of the personal data received from the exporter, or after becoming aware of such access (for further details, see our first post). However, with regard to module 4, this obligation only applies when an EU processor-exporter combines the personal data received from the third country controller-importer, with personal data collected by the EU processor-exporter in the EU.
This obligation is unique by nature, as it establishes a new type of requirement on a controller to notify a processor, in contrast with the usual one-way notification relationship under the GDPR, where processors are the ones required to notify controllers.
Non-Compliance: across all modules, importers are required to notify the exporter if they become unable to comply with their obligations. This is a different notification obligation, compared with the processor’s obligation under Article 28(3)(h) of the GDPR, which requires the processor to “make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller,” in two ways:
- in modules 1 and 4, this obligation applies to controllers, while Article 28(2)(h) applies to processors; and,
- The obligation to “make available all information” under Article 28(3)(h) implies a reactive obligation by nature, applying only when controllers request such information. In contrast, this new obligation under Clause 16 of the New SCCs establishes a proactive obligation to “promptly inform the data exporter” if an importer is no longer able to comply with the New SCCs.
Notification Mechanism. The New SCCs establish many notification requirements, which require the parties to establish a notification mechanism.
The notifications mechanism may be established by either organizational measures, such as an internal notification policy, or by automatic technical measures, such as the “Warranty Canary Method,” as described in section 110 of the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, available here).
In accordance with the parties’ right to make additions to the New SCCs under Clause 2(a) of the New SCCs and Recital 109 of the GDPR, as long as such additions do not contradict the New SCCs, the parties should consider including such a notification mechanism.
Notify v. Inform. The New SCCs distinguish between obligations to notify and obligations to inform. For example, requirements with regard to data breaches or local laws use the term “notify,” while requirements relating to the inability to follow instructions or inaccuracy of the personal data use the term “inform”. The difference between the two is not entirely coherent.
Additionally, the only specific requirement for a notification to be made in writing is the requirement relating to sub-processors inability to fulfill their obligations under the New SCCs.
Written notifications generate confidence and reduce potential friction over their content, and therefore are generally preferred over verbal notifications. As part of the proposed notification process, the parties may agree that recorded calls would serve as a sufficient notification method.
New Duties on Controllers. As mentioned above, some of the new notification obligations under the New SCCs establish apply to controllers toward processors. This changes the game in that the usual one-way notification relationship between controllers and processors under the GDPR seems to evolve into a two-way notification relationship.
*This post does not constitute a legal opinion.