The EU Commission published the draft of the new #SCC for international data transfers today. Below, a first summary on the draft:
In short, the SCC now include “most” of the GDPR’s provisions. They will help large groups and limit business opportunities for SME. #EUDataP#GDPR
The main part is Section II – Obligations of the parties:
It contains detailed obligations on complying with GDPR requirements for Importers and – mainly – Exporters in Clauses 1, 4-9.
Clauses 2 and 3 describe the process of analyzing third countries’ laws.
Clause 2 requires warranting the GDPR’s obligations: The Parties need to conduct an audit based on specific circumstances on the law in the third countries. Documentation and supplying the audit to the Supervisory authorities on request is necessary.
Clause 3 describes the process how the Importers need to relate to government requests: the importer needs to notify the exporter. If a notification is prohibited, the importer needs to conduct several steps, e.g. trying to obtain a waiver. Also, providing general reports.
Clause 1 of Section II describes several detailed obligations of the Importer. This includes detailed provisions on: Transparency to Data Subjects about the Importers, Storage Limitation (with certification of deletion by Importer), IT-Security, Onward Transfers.
Clauses 4-6 include provisions on Sub-Processors (as in Article 28 GDPR), Data Subjects Rights (description on how to deal with inquiries and requests), and Redress (e.g. providing a contact point for Data Subjects online by the Importer).
Clauses 7-9 describe liability, Indemnification between the Parties, and Supervision by the Supervisory Authorities. E.g., the Importer needs to submit himself to the jurisdiction of the competent Supervisory Authority.
Section III allows the Exporter to terminate the contract in case the Importer does not comply with the legal obligations. Disputes need to be resolved by courts of EU Member States.
To summarize: The old SCC were so abstract, that no Importer could derive clear obligations from it. This changes with the new, detailed SCC, which describe several GDPR obligations more closely.
Will the new SCC help to address the ECJ’s requirements on the Standards in Third Countries? Unclear. It makes sense to include a process on how to relate to the problems, but if the “essence of fundamental rights” is considered to be breached, no chance of export remains.
This is the result of a quick reading and far from exhaustive. Still, I hope the thread provides a first insight. I’m looking forward to your comments and discussions!
Wann genau ist eigentlich die richtige Zeit, um über die Fehler von @jensspahn, der Landesgesundheitsminister und des @rki_de im Schutz vor #Corona zu sprechen? Ein Untersuchungsausschuss wäre dringend nötig. #COVID19de
Zu klärende Fragen wären zumindest:
1. Welche Schutzmaßnahmen wurden ab 31.12.2019 getroffen und warum nicht? 2. Wann informierte das RKI Herrn Spahn über die Gefahren von #Corona? 3. Wurde die Gefahr durch das RKI unterschätzt oder durch Herrn Spahn?
4. Nahm Herr Spahn Einfluss auf das RKI, die Gefahren herunterzuspielen, nachdem die Risiken bekannt wurden? 5. Warum wurden keine Maßnahmen gegen das Einfliegen des Virus aus Ländern wie China, dem Iran, später Italien getroffen?