International data transfer: do the new, standard EU contract clauses help middle-sized companies?

 The clauses in old contracts must be updated within 18 months.

Tobias Vößing

International data transfer: do the new, standard EU contract clauses help middle-sized companies?

Blog: Labor Law - Article from 07.09.2021
On June 4, 2021, the EU Commission published the new standard contract clauses for the international transfer of personal customer and employee data. This aims to create greater legal security and, in particular, help small and middle-sized companies. However, data protection officers face a lot of work.

The EU Commission saw a need for action for two reasons: firstly, the existing clauses originate from the time before the EU General Data Protection Regulation (GDPR), which has been in force for two years.

Tough hurdles due to Schrems II judgment

In particular, the Schrems II judgment from the European Court of Justice(CJEU) dated July 16,2020 confronts companies with problems which are difficult to resolve if they intend to transmit personal information to cloud or IT service providers with data centers in third-party countries, namely countries outside of the EU or the European Economic Area (EEA). The judges in Luxembourg declared the Privacy Shield invalid. This was negotiated between the EU and the USA to create a protective shield for the transatlantic transfer of personal data. US law would permit such extensive access by intelligence services and security authorities, that the data protection standard does not comply with that of the EU, the CJEU stated. As a consequence, this eliminated the most important legal foundation for the transatlantic flow of personal customer and employee data for companies.

Lack of reliable and practical regulations

At the same time, the Luxembourg judges attached very strict conditions to the use of the standard contractual clauses on which the data flow to third-party countries is also very frequently based in practice. As a consequence, the contract partners commit to comply with the European data protection standards if, for example, a cloud provider stores customer data at data centers in the USA. Or if an IT service provider located in the United States is granted access to servers in Europe. According to the CJEU, the data exporter needs to examine the individual cases in advance: Do the circumstances of the data transfer or the technical protective measures such as encryption or pseudomyzation guarantee an adequate level of protection? Due to the lack of reliable and standardized guidelines from the data protection authority, companies now often have no idea how to proceed: When are the security measures adequate? Even the Recommendations of the European Data Protection Board (EDPB) only provide a limited degree of assistance.

Comprehensive risk analysis remains

The EU Commission intends to remedy the situation with the new standard contract clauses. In truth, there is greater legal security: In particular, clauses 14 and 15 do justice to the Schrems II judgment and the proposals from the data protection authorities. However, the new standard contract clauses also stipulate that the transfer of personal data shall be prohibited if the law and legal practices in third-party countries prevent the data importer from complying with the safety measures. Customers are obliged to carry out an analysis of the data transfer consequences, known as a Transfer Impact Assessment. They must make certain that the contract partner in the third-party country can fulfill the obligations imposed by the standard contract clauses. In practice, data protection officers have to continue analyzing each specific case: Which laws and the third-party country apply for data transfer? And do these collide with the guarantees stipulated in the standard contract clauses under certain circumstances?

React rapidly

Companies should take action quickly:

  • As of September 29,2021, all newly concluded contracts must comply with the new version.
  • In old contracts, the existing standard contract clauses must be replaced with the new clauses within 18 months or by December 27, 2022. This requires an assessment of the company itself and also of the subsidiaries.
  • In addition, data protection officers must examine the legal situation in the third-party country and obtain information from the contract parties in the third-party countries about the safety measures such as encryption, anonymization or pseudomization that they used to address the particular risks of the data transfer to the third-party country. Under some circumstances, it may make more sense to switch to European providers.
  • Comprehensive documentation of the risk assessment is essential. Since June 1, 2021, many data protection authorities have already begun sending out questionnaires asking how companies deal with the consequences of the Schrems II judgment for international data transfer.

While the EU Commission has taken plenty of time to adapt the standard contract clauses to the GDPR, which took effect in May 2018, it demands far more rapid action from companies. In particular, small and medium-sized companies now face the Herculean task of analyzing the risks of their specific data transfer. A successor agreement to the EU-US Privacy Shield would be truly legally reliable.

Newsletter

Stay up-to-date with the latest news!
Would you like to be informed whenever a new post is published in our labor law blog #LaborLaw by Buse? You wish to know which topic we are going to report on next? Then sign up for our newsletter here:

Works Council Issued Warning for Violation of Works Constitution Act Obligations.

Blog: Labor Law
Works Council Issued Warning for Violation of Works Constitution Act Obligations. Higher Labor Court Baden-Wuerttemberg Confirms possibility of warnings under Works Constitution Act (Ref.: 8 TaBV 3/19).
02.02.2021
Tobias Grambow

Works Council has no Right of Co-Determination in Union Actions.

Blog: Labor Law
Works Council has no Right of Co-Determination in Union Actions. Both employers and works councils are excluded from trade union actions. This is according to a recent decision of the Federal Labor Court (Case No.: 1 ABR 41/18).
29.12.2020
Jan Tibor Lelley

Blog: Labor Law
Works council elections 2022: Determining the elected candidates. Every candidate has to have equal access opportunities.
24.05.2022
Tobias Grambow

Betriebsratswahlen 2022 - Ende der Amtszeit.

Blog: Labor Law
Works council elections 2022 – End of term.
A works council’s term of office generally comes to an end after four years – What exceptions are there?
01.02.2022
Tobias Grambow

Works council elections 2022 – digital, hybrid or analog?

Blog: Labor Law
Works council elections 2022 – digital, hybrid or analog? Is it permitted to hold a works council election using voting software?
01.03.2022
Tobias Grambow

Works council elections 2022 – Appointing the election committee.

Blog: Labor Law
Works council elections 2022 – Appointing the election committee. The works council is generally responsible – Are there exceptions?
25.01.2022
Tobias Grambow
Let’s connect

Do you wish to receive information on recent developments of law, invitations to events or seminars from us? We hereby request your explicit consent.

…Declaration of Consent

BUSE

About us
List of partners
Contact
Imprint
Privacy Policy

 

Arrange a meeting

We can discuss your request directly in a personal meeting. We ensure absolute discretion and professional and honest advice.

…to our offices

© BUSE · Rechtsanwälte Steuerberater Partnerschaftsgesellschaft mbB