Following the decision of the Court of Justice of the European Union in the Schrems II case, the new CBAs stipulate that both parties must carry out an impact assessment for the transfer of data. The parties shall document the assessment and indicate that they have taken (if necessary) all relevant additional contractual and technical measures. It is important to note that in this assessment, the parties may take into account industry practices and the previous experience of the data importer with respect to requests from public authorities. As expected, the updated CLCs also include strong protection for those affected. The general responsibilities of the data exporter under the GDPR include providing information about the intention of data subjects to transfer their personal data, including the categories of personal data processed, the right to obtain a copy of the standard contractual clauses and any disclosure. In addition, with a few exceptions, data subjects are able to enforce the CCTs as third-party beneficiaries with regard to the obligations of the data exporter and the data importer. Therefore, THE SCCs should oblige the data importer to inform data subjects via a contact point and to deal promptly with complaints or enquiries. In the event of a dispute between the data importer and a data subject exercising his or her rights as a third party beneficiary, the data subject may lodge a complaint with the competent supervisory authority or bring the dispute before the competent courts of the EU. Although the new SCAs partially respond to the Schrems II Decision, the new CCS may not be sufficient for some data importers alone, and additional measures by the European Data Protection Board may be necessary to complement the SCC`s obligations.

6 Philip Gordon, et al., “Schrems II” and transfers of HR data: Action steps for US multinationals, International Association of Privacy Professionals, July 22, 2020 (available at iapp.org/news/a/schrems-ii-and-cross-border-transfers-of-hr-data-action-steps-for-u-s-multinational-employers/). The former CBAs were specific contractual instruments adopted by the European Commission to take account of specific situations: C2C transfers (cpc 2001) and C2P transfers (CCS 2010). THE COLLECTIVE AGREEMENT may also be used by controllers or processors not established in the EU to the extent that the processing is subject – in accordance with Article 3(2) of the GDPR – because it is to offer goods or services to data subjects in the EU or to monitor their behaviour to the extent that it takes place in the EU. It should be noted that the new CLAs do not address all the concerns raised by the CJEU in the Schrems II case, and that there is still a strong interest in the United States. and the EU reaches an agreement on a new Privacy Shield, and these negotiations are ongoing, with the main aim of avoiding a future Schrems III. Meanwhile, companies must rely on CCTs and other transmission mechanisms available for cross-border data transfers to the United States. A data controller is the entity that selects the purposes and means of processing. Data controllers are the owners of the data. b. If, during the term of this DTA, the data importer receives requests from government agencies, it will inform (unless prohibited by applicable law) the data exporter in writing as soon as possible, and the data exporter and data importer will discuss (as soon as reasonably possible) and determine whether all or part of the customer`s transfers of personal data should be suspended under this Agreement in light of that government.

Agency requests. Although the new standard contractual clauses of 27. In June 2021, the European Commission introduced two grace periods for new CBAs that apply to the transfer of personal data outside the EEA. The initial grace period allows controllers and subcontractors to execute the old CTCs until September 27, 2021. The second grace period allows controllers and subcontractors to rely on old CLAs executed before September 27, 2021 until December 27, 2022. From the latter date, companies that have relied on old CLAs for the transfer of personal data outside the EEA should be fully switched to the new CLAs. one. the data importer represents and warrants that, at the time of the transfer, it has not received any formal legal request from government intelligence or security services/agencies of the country to which the relevant customer personal data is exported to access the customer`s personal data submitted to the data importer under this agreement (“requests from government agencies”); and the standard contractual clauses for data protection authorities contain all the elements referred to in Article 28 of the GDPR for the validity of contracts relating to the processor. In some sections, they leave the parties some leeway, for example by providing two options for the use of sub-processors (i.e.

specific prior authorisation or general written authorisation). In addition, the European Commission`s Implementing Decision stipulates that the established standard contractual clauses may be used by the parties in whole or in part within the framework of their own data protection authorities or as part of a wider contract. Under the new CBAs, the European Commission has adopted a single set of clauses within a contract comprising three types of provisions: (i) fixed clauses that must remain unchanged regardless of the parties executing the new CBAs; (ii) modules to be added/removed from the final contract, depending on the parties performing the new CCTs (C2C, C2P, P2C and P2P) and their choice from the available options; and iii) blank clauses and annexes to be completed and supplemented by the parties with relevant information (e.B. categories of data transmitted, data subjects, etc.). .