On June 4th, 2021, the European Commission adopted revised standard contractual clauses for international data transfers (the “New SCCs”). The New SCCs were published officially on June 7th this year.
This is the fourth post in a series about practical aspects related to implementing the New SCCs. In this post, we focus on the notification obligations of data controllers toward supervisory authorities and data subjects.
There are additional notification requirements between the parties to the New SCCs, and where applicable, between parties and the relevant data controller. we have analyzed these additional requirements in our previous post.
General
The New SCCs are modular and, based on the position of the parties to the transfer under the GDPR, can apply between the following parties –
Module (1) controller to controller;
Module (2) controller to processor;
Module (3) processor to processor; and,
Module (4) processor to controller.
This post will explore the notification obligations that apply to data controllers or processors vis-à-vis supervisory authorities and data subjects.
The New SCCs are modular and, based on the position of the parties to the transfer under the GDPR, can apply between the following parties –
Module (1) controller to controller;
Module (2) controller to processor;
Module (3) processor to processor; and,
Module (4) processor to controller.
This post will explore the notification obligations that apply to data controllers or processors vis-à-vis supervisory authorities and data subjects.
Notification Obligations Under the New SCCs
Data Breach Notification: Module 1 requires controllers to notify the competent supervisory authority and the data subjects about a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons after becoming aware of it. The required notifications are as specified under Articles 33-34 of the GDPR.
Transparency and Data Subjects’ Rights: The New SCCs address the controllers’ obligations to exercise data subjects’ rights under the GDPR, including in relation to notification obligations as follows:
In order to enable data subjects to effectively exercise their rights, module 1 of the New SCCs requires controllers to provide data subjects, either directly or through the respective data exporter, with the following details:
- the controller’s identity and contact details;
- the categories of personal data processed;
- data subjects’ right to obtain a copy of the relevant SCCs free of charge;
- where it intends to onward transfer the personal data to third parties – the recipient or categories of recipients, the purpose of such onward transfer, and the legal ground, therefore.
The notification obligation is not required where the data subject already has the information (whether by the data exporter or otherwise) or if providing the information is impossible or would involve a disproportionate effort for the data importer, in which case, to the extent possible, the data importer may make the information publicly available instead.
This notification obligation correlates to the notice requirements under Articles 13(1) and 14(1) of the GDPR. In their 3rd and 4th items above, the New SCCs provide more context to the data transfer disclosure requirement under Articles 13(1)(f) and 14(1)(f), which require to provide a “refers to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.”
The New SCCs further require the parties to the SCCs, to provide data subjects, upon request and free of charge, a copy of the SCCs, including their appendix.
The parties are allowed to redact part of the text of the annexes before sharing a copy to protect confidential information, but are required to provide a meaningful summary where the data subjects would otherwise not be able to understand its content or exercise their rights.
This is seemingly not available under Articles 13 and 14 of the GDPR. It shows a pragmatic approach, and companies may consider preparing a distribution version of their SCCs to accommodate their confidentiality needs.
Additionally, in correlation with Article 22 of the GDPR, module 1 of the New SCCs emphasizes that data importers-controllers should not make a decision based solely on the automated processing of the personal data transferred, which produces legal effects concerning such data subject or similarly significantly affects him or her, unless with the explicit consent of the data subject or if authorized to do so under the laws of the country of destination.
In this case, the controller is required to inform the data subject about the envisaged automated decision, the envisaged consequences, and the logic involved, in correlation with the notification requirements under Articles 13(2)(f) and 14(2)(g) and with the access request details under Article 15(h) of the GDPR.
Module 1 of the New SCCs also addresses the data importer’s obligation to inform the data subject if it intends to refuse a data subject’s request or of any period extension in response to a data subject’s enquiries or requests. This correlates with Articles 12(4) and 12(3) of the GDPR, respectively.
Under Clause 11 of the New SCCs, across all modules, data importers are required to inform data subjects of a contact person authorized to handle complaints. This is a novel requirement, especially to data importers in a data processor’s position. It means that importers-processors who were free from any notices to data subjects under the GDPR are under an obligation to provide an easily and accessible way through their website to file a complaint.
Access Requests: Modules 3-4 require data importers (controllers under module 4 or processors under module 3) to notify, where possible, the data subject upon receipt of a legally binding request from a public authority for the disclosure of the personal data received from the data exporter, or after becoming aware of such access (for further details, see our first post).
This is a new notification obligation, as under the GDPR controllers are not required to inform data subjects of access requests by public authorities or of an actual access made by them. Furthermore, while notification obligations under the GDPR apply to controllers, this new notification obligation under the New SCCs, applies to processors as well under module 3.
Non-Compliance: across all modules, data exporters are required to inform the competent supervisory authority if a data importer becomes unable to comply with its obligations.
This notification obligation differs from the notification obligation under Article 33 of the GDPR in two ways – first, under Article 33 of the GDPR, such notification is only required in case of a personal data breach; and second, the obligation under Article 33 of the GDPR only applies to controllers, while in modules 3 and 4 the notification obligation applies to processors as well.
In Conclusion,
The New SCCs introduce significant notification obligations. Some correlate with already existing requirements under the GDPR, while other are new.
Specifically, with respect to notification obligations to supervisory authorities and data subjects, the New SCCs include a set of new obligations which either do not exist under the GDPR, or apply only to controllers.
Organizations should prepare to implement new notification procedures, as they are required to implement the New SCCs, with respect to new contracts, by September 27, 2021. Existing contracts which include the old SCCs must be revised and replaced with the New SCCs by December 27, 2022.
*Read our first, second and Third posts on the New SCCs, discussing the operational and financial aspects of Clause 15, the warranty, assessment obligations under Clause 14 and the notification obligations between the parties of the New SCCs.
*This post does not constitute a legal opinion.