Considerations on embedding the new standard contractual clauses in IT contracts

Authors: Heidi Waem and Nicolas Becker

On 4 June 2021, the European Commission released the final version of the new Standard Contractual Clauses (new SCCs) (see our blogpost here).

This new set of clauses was launched in the aftermath of the CJEU’s Schrems II decision and includes specific wording to address certain concerns raised by the CJEU.

Before Schrems II, the “old” SCCs were routinely included in IT contracts without actually considering thoroughly the interplay between those old SCCs and the IT agreement as such, for example, in case of suspension or termination of the data transfers, as such suspension or termination did not happen in practice.

However, since Schrems II and the uptake in enforcement regarding data transfers,[1] using the new SCCs requires careful consideration as, for example, the suspension or termination of a data transfer is no longer a mere theoretical situation.

We discuss below a number of elements that require appropriate consideration.

Mandatory data transfer assessment before conclusion of the new SCCs

Under article 14 (a) of the new SCCs, parties warrant that they have no reason to believe that the laws and practices in the third country applicable to the processing of personal data by the importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under the SCCs.

In providing the warranty, parties declare that they have duly assessed the data transfer taking into account the following elements (article 14 (b)):

  • the specific circumstances of the transfer, the intended onward transfers, the type of recipient, the purpose of processing, the categories and format of the transferred personal data, the economic sector in which the transfer occurs, the storage location of the data transferred;
  • the laws and practices of the third country of destination, including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfers and the applicable limitations and safeguards; and
  • any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under the new SCCs.

Furthermore, the data importer warrants that it has made its best efforts to provide the data exporter with relevant information (article 14 (c)).

The assessment must be documented and provided to the competent supervisory authority on request.

With this clause, the SCCs formalize the EDPB’s recommendation to perform a data transfer assessment before transferring personal data to a third country that does not provide for an adequate level of protection.

This will require both data exporters and data importers to put in place a methodological process to perform such assessments, to support each other and exchange relevant information. Such assessment and cooperation between the parties is not only required before the conclusion of the agreement. Parties will need to continue to cooperate in ensuring compliance with the SCCs over the entire life of the contract (article 14 (c)).

A lack of or insufficient assessment of the data transfer compliance may result in severe consequences for the parties, including suspension of the data transfer and possibly termination of the agreement.

Suspension of the data transfers or termination of the contract

Where the data importer can no longer fulfil its obligations under the SCCs because it becomes subject to laws or practices not in line with the requirements of article 14 (a), it must notify the data exporter (article 14 (e)).

Upon receipt of such notification, the data exporter must promptly identify appropriate safeguards. If no such safeguards are available, the data exporter will be under the obligation to suspend the data transfer, and is entitled to terminate the contract insofar as it concerns the processing of personal data under the new SCCs (article 14(f)).

Furthermore, in case of non-compliance with the SCCs, or inability to comply, by the data importer, the data exporter is under the obligation to suspend the data transfer until compliance is again ensured, or the contract (insofar as it concerns the processing of personal data under the SCCs) is terminated (article 16).

Where the processing of personal data is at the core of the agreement, for example if the data is hosted by the data importer, operating the suspension of the transfer might impact the continued performance of the related agreement.

Similarly, where the data is accessed by the data importer for processing, suspending the transfer of personal data would mean that access to the data must be restricted.

Another scenario might be that the supervisory authority orders the suspension of a data transfers.

The SCCs further add an additional level of complexity if multiple parties are involved in the data transfer or the service agreement. Both article 14(f) and article 16 specifically provide for that when the data exporter is entitled to terminate the data processing as per the SCCs, it may exercise its right to termination but only with respect to the relevant party (ie the data importer(s) in breach of the SCCs), unless the parties have agreed otherwise. This means that a termination as per the SCCs may not be grounds for a valid termination vis-à-vis other parties in the same agreement, in the absence of specific provisions in this respect.

Risks and how to mitigate them contractually

It goes without saying that these scenarios must be carefully considered and the consequences of a suspension of a data transfer or the termination of processing of personal data as a result of a breach of the SCCs must be assessed by the parties and as much as possible be duly addressed in the related services agreement.

One of the points of attention will be to include carefully construed suspension and termination regimes in the underlying service agreement to cater for such circumstance possibly hindering continued performance. Parties should carefully describe in their agreement what kind of suspension or termination events (as per the SCCs) could qualify as contractual breach (meaning: opening the right to potential liability claim) as opposed to an external cause event (without liability). Force majeure definition or clauses should also be considered in light of the new SCCs since a sudden change in the law or an invasive measure from enforcement authorities in the country of destination could possibly qualify as an act of God (fait du Prince) for the data importer in some force majeure clauses.

Destruction of personal data following termination of the contract

In case of termination of the contract pursuant to clause 14(f) or article 16, the personal data must, at the choice of the data exporter, immediately be returned to the data exporter or deleted in its entirety.

Where the data exporter also has or keeps the data on its own systems, this should not be too difficult to comply with. If not, appropriate safeguards should be built in the contract to ensure that this can be operated in practice and at any time over the life of the agreement. Effective exit provisions will be required from the start of service agreements to cater for such new early termination risk.

Final considerations and timing

The implementation of the new SCCs will clearly require a thorough review of key provisions in most service agreements which involve a transfer to a data importer not subject to the GDPR. Notably, sensitive contractual provisions such as liability and risk allocation, suspension and termination, force majeure, exit assistance provisions, governing law and competent court, might be affected by the implementation of the new SCCs.

The new SCCs will not only affect new agreements but also existing agreements after a short transition period. The new set of clauses will apply to data transfers related to any new agreements entered into as from 27 September 2021 onwards. In case of significant changes to existing data transfer agreement after that date, the new set of clauses will need to be implemented immediately to such existing agreements, as from the date of the change.

Parties will have up to 27 December 2022, at the latest, to implement the new SCCs in all existing agreements with data transfer and which are not substantially modified before that date.

The related efforts for companies and organisations should not be underestimated as this kind of review takes time and effort and the available timing is short. It is particularly sensitive for existing agreements as the implementation of the new SCCs may, as explained above, change the agreed balance of the contract. If certain parties refuse to renegotiate the affected key provisions of an existing agreement, the new SCCs will nevertheless need to be applied at the latest at the end of the applicable transition period and will prevail over and above any conflicting existing provisions. Parties will therefore, in any event, need to carry out an updated risk-assessment of their contractual relationship.

[1] See for example the Cloudflare case: https://blogs.dlapiper.com/privacymatters/portuguese-cnpd-suspends-transfers-of-census-2021-data-to-the-u-s/