The EU Commission published the draft of the new #SCC for international data transfers today. Below, a first summary on the draft:
In short, the SCC now include “most” of the GDPR’s provisions. They will help large groups and limit business opportunities for SME. #EUDataP #GDPR
In short, the SCC now include “most” of the GDPR’s provisions. They will help large groups and limit business opportunities for SME. #EUDataP #GDPR
The main part is Section II – Obligations of the parties:
It contains detailed obligations on complying with GDPR requirements for Importers and – mainly – Exporters in Clauses 1, 4-9.
Clauses 2 and 3 describe the process of analyzing third countries’ laws.
It contains detailed obligations on complying with GDPR requirements for Importers and – mainly – Exporters in Clauses 1, 4-9.
Clauses 2 and 3 describe the process of analyzing third countries’ laws.
Clause 2 requires warranting the GDPR’s obligations: The Parties need to conduct an audit based on specific circumstances on the law in the third countries. Documentation and supplying the audit to the Supervisory authorities on request is necessary.
Clause 3 describes the process how the Importers need to relate to government requests: the importer needs to notify the exporter. If a notification is prohibited, the importer needs to conduct several steps, e.g. trying to obtain a waiver. Also, providing general reports.
Clause 1 of Section II describes several detailed obligations of the Importer. This includes detailed provisions on: Transparency to Data Subjects about the Importers, Storage Limitation (with certification of deletion by Importer), IT-Security, Onward Transfers.
Clauses 4-6 include provisions on Sub-Processors (as in Article 28 GDPR), Data Subjects Rights (description on how to deal with inquiries and requests), and Redress (e.g. providing a contact point for Data Subjects online by the Importer).
Clauses 7-9 describe liability, Indemnification between the Parties, and Supervision by the Supervisory Authorities. E.g., the Importer needs to submit himself to the jurisdiction of the competent Supervisory Authority.
Section III allows the Exporter to terminate the contract in case the Importer does not comply with the legal obligations. Disputes need to be resolved by courts of EU Member States.
To summarize: The old SCC were so abstract, that no Importer could derive clear obligations from it. This changes with the new, detailed SCC, which describe several GDPR obligations more closely.
Will the new SCC help to address the ECJ’s requirements on the Standards in Third Countries? Unclear. It makes sense to include a process on how to relate to the problems, but if the “essence of fundamental rights” is considered to be breached, no chance of export remains.
This is the result of a quick reading and far from exhaustive. Still, I hope the thread provides a first insight. I’m looking forward to your comments and discussions!
@aspvr @grages_jm @stephanschmidt @kleibold23 @TimWybitul @sas_assion @bettercallaFA @sgpqr @golland_privacy @nutellaberliner @ViolaLachenmann @Carola_Sieling @gabrielazanfir @omertene @Fredomatikus @CarloPiltz @PiracyByDesign
• • •
Missing some Tweet in this thread? You can try to
force a refresh
