ANF

[gtranslate]
[gtranslate]

One year after the Privacy Shield breach

16/07/2020

Share

On June 4, 2021, the Commission published the new Standard Contractual Clauses (SCCs). On July 16, 2020, the Court of Justice of the European Union declared the Privacy Shield between the EU and the US invalid. This ruling called for strengthening the formalization of standard contractual clauses to ensure that a level of protection equivalent to that guaranteed by the GDPR is maintained. One year later, to commemorate the milestone this ruling marked in international transfers of personal data, we analyze the modifications introduced by Implementing Decision (EU) 2021/914 regarding the new SCCs for transfers of personal data to third countries. SCCs constitute one of the safeguards considered adequate among those listed in Article 46 of the GDPR. Their validity depends on their ability to incorporate effective mechanisms that ensure in practice that the level of protection required by EU law has been achieved.
1. MODULAR APPROACH
This Decision aims to cover the multiple transfer scenarios that occur in practice, taking into account the complexity of current processing chains. Modules:
  • Controller – Controller
  • Processor – Processor
  • Controller – Processor
  • Processor – Controller
Each of the transfer modules in the Decision is structured based on the GDPR principles relating to processing (Article 5 GDPR). Clause 7 establishes the possibility for more than two parties to adhere to the STCs without the need for any additional modifications or the signing of a new agreement. It also regulates the role of the subprocessor and offers the possibility of providing a general written authorization. The new standard contractual clauses provide, in Annex II, examples of specific technical and organizational measures to maintain the privacy of personal data.
2. SUBSEQUENT TRANSFERS
The interested party must be informed about the existence or not of the intention to make subsequent transfers of personal data to third parties. In the event that subsequent transfers are expected to be made, the third party must be bound by these GTCs; otherwise, they must demonstrate that one of the other conditions set forth in clause 8, section 7, is met.
3. ACCOUNTABILITY OR PRINCIPLE OF PROACTIVE RESPONSIBILITY
Another new feature incorporated into the new standard contractual clauses is the introduction of the principle of active responsibility arising from the GDPR (Article 5.2), which requires the importer not only to comply with the provisions of these clauses but also to be able to demonstrate this. It goes into detail, determining certain elements so that a comprehensive assessment can be made and the impact of third-country law on personal data privacy can be evaluated, such as reports from independent supervisory bodies and case law, among others.
4. RIGHTS OF DATA SUBJECTS

The data subject’s rights, governed by the principle of transparency from the outset, are set forth in Clause 10 and are very similar to those provided for in Article 13 of the GDPR. A new provision is that the parties must establish rules for liability and compensation. Furthermore, regardless of the liability attributed by the GDPR to the exporter of personal data, the rule of joint and several liability applies, so the data subject may file a claim with any of the parties involved.

 
5. TRANSITION PERIOD

The contractual clauses contained in European Commission Decisions 2001/497/EC and 2010/87/EU will be repealed as of September 27, 2021. Likewise, an additional 15-month period is established for importers and exporters to stop using the CCTs established in the aforementioned Decisions.

DPO certification is considered a valid and appropriate tool for objectively and impartially assessing the appropriate level of competence to perform the functions entrusted to this entity. ANF AC, as a Certification Entity recognized by ENAC, has the technical competence necessary for DPO certification in accordance with the AEPD Scheme.

Share

Scroll to Top