Meaning of Model Contractual Clauses

The Standard Contractual Clauses for Data Protection Authorities adopted by the European Commission on 4 June 2021 therefore aim to provide a single, prima facie legal DPA on which companies and organisations can rely and execute to govern their relationship between the controller and the processor. These decisions aim to provide companies with more comprehensive contractual tools that they can implement before processing or transferring personal data from the EEA in accordance with the new requirements of the GDPR. Unlike the old CCT, which only applied to controller-to-controller (“C2C”) and controller-to-processor (“C2P”) transfers outside the EEA, the new SCCs include various modules that the parties can select and complete depending on the circumstances of the transfer (C2C, C2P, P2P and P2C). In addition, the new CLAs that apply to the transfer of personal data outside the EEA take into account the judgment of the Court of Justice of the European Union (“CJEU”) of 16 July 2020 in the Schrems II case. This directive defines the basis for the processing of personal data in the EU. It is the legal framework within which Microsoft transfers personal data from the EU. In accordance with this Policy and our contractual agreements, Microsoft acts as a processor of Customer Data. Customer acts as a data controller with ultimate ownership and responsibility for ensuring that data can lawfully be made available to Microsoft for processing outside the EEA. The standard contractual clauses for data protection authorities contain all the elements referred to in Article 28 of the GDPR for the validity of the controller and processor agreements. In some sections, they leave the parties some leeway, for example by providing two options for the use of sub-processors (i.e. specific prior authorisation or general written authorisation).

In addition, the European Commission`s Implementing Decision stipulates that the established standard contractual clauses may be used by the parties in whole or in part within the framework of their own data protection authorities or as part of a wider contract. The Decision on the new CBAs for the transfer of personal data to third countries provides for two transitional periods (or grace periods) to allow stakeholders to change their contractual framework. Under the GDPR, the European Commission has the power to adopt implementing acts, in particular: (i) the creation of standard contractual clauses for data protection authorities between controllers and processors and between processors and sub-processors (Article 28(7) GDPR) and (ii) the creation of standard contractual clauses as appropriate protection for the transfer of personal data to third countries (Article 46(2)(a) GDPR). [1] See Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors, in accordance with Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council; and Commission Implementing Decision (EU) 2021/914 of 4. June 2021 on standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council. This customer alert is intended to help explain the possible applications of these new standard contractual clauses. The decisions on the model clauses for data protection authorities and new CBCs were adopted by the European Commission on 4 June and published in the Official Journal of the EU on 7 June 2021. They will come into force 20 days after their publication, i.e.

on June 27, 2021. Although the new standard contractual clauses can be used from 27 June 2021, the European Commission has introduced two grace periods for the new CBAs that apply to the transfer of personal data outside the EEA. The initial grace period allows controllers and subcontractors to execute the old CTCs until September 27, 2021. The second grace period allows controllers and subcontractors to rely on old CLAs executed before September 27, 2021 until December 27, 2022. By the latter date, companies that have relied on old CBAs for the transfer of personal data outside the EEA should have fully switched to the new CBAs. [4] See Article 28(8) of the GDPR, which also allowed EU supervisory authorities to adopt standard contractual clauses for data protection authorities. See e.B. la FRANÇAIS CNIL (www.cnil.fr/fr/sous-traitance-exemple-de-clauses); spanish AEPD (www.aepd.es/sites/default/files/2019-10/guia-directrices-contratos.pdf). Denmark, Slovenia and Lithuania have also submitted draft standard contractual clauses for data protection authorities to the European Data Protection Board (“EDPS”) in accordance with Article 28 of the GDPR. .