SCCs and CoCs and BCR – Untangling the Web and Spotting the Difference
What are SCCs?
SCCs are a streamlined way of assuring a GDPR-conform data transfer to third countries with a non-adequate data protection level (e.g. the USA) through model contract clauses that have been “pre-approved” by the European Commission. As laid out in art. 46 GDPR SCCs are – in absence of an adequacy decision by the EU Commission – one possible way for data exporters to reach compliance with GDPR.
In view of the Schrems II verdict on 16th of July 2020 (C-311/18) by the European Court of Justice (ECJ) the European Commission replaced the more than ten year old SSC with a new set of standard contractual clauses on 4th of June 2021. They can be applied since 27th of June 2021 and have to replace all previously SCCs until the 27th of December 2022.
Also, it is worth mentioning that in light of the ECJ ruling (Schrems II) the implementing SCCs may not always ensure data subjects whose personal data are transferred to a third country are afforded an adequate data protection level. Thus, the ECJ states that, due to their contractual nature, SCCs cannot bind public authorities and therefore it is for the data exporter to verify, on a case-by-case basis, whether the SCCs provides an actually equivalent level of protection under the law of the third country or if supplementary measures must be taken additionally.
How are SCCs to be used?
Consisting of 18 clauses and an appendix, the SCCs are a blank slate that need to be customized to fit the actual relationship between the parties. However, due to their guarantee nature, SCCs may not be changed in meaning and need to be implemented in a legally binding manner. Permitted are, however, additions enhancing the protection of the data subjects and that do not contradict the clauses.
Separated into four modules the new SCCs, written down in the Annex to the EU Commission Implementing Decision ((EU) 2021/914), can depict every constellation between the contracting parties, modules 3 and 4 being entirely new:
- Controller to controller (C2C)
- Controller to processor (C2P)
- Processor to (sub-)processor (P2P)
- Processor to controller (P2C)
Choosing one of the four modules is the first step. Afterwards one has to remove the other non-applicable modules from the document and if necessary fill in the appendices.
What are Binding Corporate Rules (BCRs)?
BCRs are data protection policies adopted by companies themselves to ensure a smooth flow of data between the different enterprises of the company group while being compliant with the data protection laid out in GDPR. BCRs are especially relevant if a company exports data to enterprises seated in non-adequate third countries, since according to art. 46 para. 2 GDPR they may substitute the lack of an adequacy decision and pass as appropriate safeguards, if the competent supervisory authority approved them.
The implementation of specific corporate interests in BCRs are possible. However, they need to guarantee at least the same protective level as SCCs. Pursuant art. 47 para. 1 GDPR the competent supervisory authority will approve the BCR if the following conditions are met: The BCRs are legally binding for and enforced by all group members, they grant enforceable rights to the affected data subjects regarding the processing of their data and the BCRs fulfil the requirements as in art. 47 para. 2 GDPR. The latter are in particular specifications about information on the type of data and data subject, the purpose and the third country, but also the application of general data protection principles, the rights of the data subject and the establishment of the basic liability of the controller or processor for any breach of BCRs by a group member not established in the EU.
This makes it clear that BCRs can only serve as a transfer tool according to art. 46 GDPR within the data transfer of a group of companies. Therefore, single enterprises exporting personal data to non-adequate third countries can only use the SCC-tools for compliance with GDPR or they can advocate for industry standards like CoCs.
What are Code of Conducts (CoCs)?
Finally, CoCs are data protection policies in form of an industry standard, whether from controller or processor associations. While SCCs aim at regulating cross border data transfer, the instrument of CoCs is not limited to that purpose, which is why it is classified under the fourth chapter of the GDPR.
Technical and organisational measures specific to an industry or category of data processing usually find their place within CoCs as well, meaning the CoCs in question are tailored to said associations or other bodies representing categories of controllers and processors. Art. 40 GDPR gives hints as to what can be further regulated in the CoCs to specify the application of the GDPR. Associations and other bodies representing categories of controllers or processors can for example elaborate on fair and transparent data processing, comment on the exercise of the rights of data subjects or clarify out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects.
To be considered as appropriate safeguards according to art. 46 GDPR CoCs have to be approved by the responsible supervisory authority. As with BCRs, the supervisory authority determines if the CoCs have, among other things, sufficient adequate data protection safeguards within the meaning of art. 46 GDPR. In particular, CoCs need to be legally binding for the companies and enterprises in question and the affected data subjects need to be able to enforce their granted rights effectively in every country, their data is being exported to.
While SCCs, BCRs and CoCs all legally secure the transfer of personal data into non-adequate third countries and enforceable rights of affected data subjects, differences do exist. SCCs are, on the one hand, modular in their approach, need to be customized and issued by a public authority. On the other, BCRs and CoCs are drawn up by private legal entities with company or industry specific interests in mind. This allows the private sector to develop independently industry standards, which suit specific interests of companies or whole industry sectors while maintaining the protective principles of the GDPR. However, in order to be considered as appropriate safeguards for data transfer to a third country in accordance with art. 46 GDPR, they must also contain such guarantees and will thus have to provide a comparable level of data protection as the SCCs.
Article provided by INPLP member: Nicole Beranek (HÄRTING Rechtsanwälte, Switzerland)
Dr. Tobias Höllwarth (Managing Director INPLP)