In Perspective: European Commission publishes Q&A on SCCs for data transfers

Risk Management Consultancy

In this week’s issue of In Perspective, Natasha King, Data Protection Consultant at Xcina Consulting, looks at the European Commission’s published Q&A on EU standard contractual clauses, and a warning from the ICO around the collection of excessive personal data.

Find out the details of these and other key emerging themes as events unfold. Our analysis looks at what happened and why it matters, read our complete review below.

EU

European Commission publishes Q&A on SCCs for data transfers

What happened

  • The European Commission published a Q&A on the two sets of standard contractual clauses (one set for controllers and processors and another for the transfers outside of the EEA) for data transfers under the EU GDPR.
  • According to the Commission, the Q&A provides practical assistance on the use of SCCs and aids stakeholders in compliance efforts. It will be updated as new questions emerge.
  • The Q&A consists of 44 questions and the key takeaways are:
    • The obligations of Article 28 of the GDPR have been included into the SCCs for data transfers from controllers to processors or processors to sub-processors. As a result, companies are not required to sign a separate data processing agreement in order to comply.
    • When transferring personal data to controllers or processors in non-EEA countries that are directly subject to the GDPR, organisations cannot rely on the 2021 set of SCCs to comply with the GDPR, as the Commission states that this would “duplicate and, in part, deviate from the obligations that already follow directly from the GDPR.” The European Commission intends to issue a new set of SCCs for use by organisations in this scenario.
    • Whilst SCCs can be supplemented with additional clauses or incorporated into a broader commercial contract, the other contractual provisions must not contradict the SCCs. In particular, SCCs “may not include a general exculpation from liability”, suggesting that liability caps are prohibited.

Why it matters

  • Organisations intending to implement the new EU SCCs for EU transfers must keep in mind that the deadline for replacement of the “old” EU SCCs with the new SCCs is 27 December 2022.
  • The Commission expects data exporters to inform data subjects where SCCs are used to transfer data and provide a copy of the signed clauses on request, including the completed and signed annexes. A general reference to the SCCs (e.g. by providing a link to the Commission’s website) is not sufficient.  
  • Organisations should assess whether it is necessary to update their privacy policies and data subject rights handling processes to provide the required information.
  • The Commission’s confirmation that the new SCCs cannot be used for transfers to controllers or processors in third countries that are directly subject to the GDPR leaves a compliance gap pending a new set of SCCs for use in this scenario.

ICO

UK Information Commissioner warns excessive police data requests violate victims’ rights to privacy

What happened

  • The ICO has called on the criminal justice sector to immediately stop collecting excessive amounts of personal information from victims of rape and serious sexual assault cases.
  • According to the ICO, police in the UK require victims to provide ‘blanket’ consent to them accessing large amounts of personal data before accessing justice. In England and Wales, this is known as a ‘Stafford statement,’ and it allows police access to the victim’s information, including school records, medical histories, social service data and mobile phone content.
  • The requests fall short of the requirements of the DPA 2018 and UK GDPR, and were therefore unlawful.

Why it matters

  • Recital 43 of the GDPR specifies that valid consent must be freely given and does not provide a valid legal ground for the processing in a case where there is a clear imbalance of power between the data subject and the controller, particularly where the controller is a public authority.
  • Consent is just one lawful basis for processing personal data, which is appropriate if you can offer individuals genuine choice and control over the use of their data. Organisations unable to offer a genuine choice by making consent a precondition of a service, should consider relying on an alternative, more appropriate lawful basis.
  • Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
  • This serves as an important reminder that data minimisation is key. Any personal data obtained or otherwise processed in relation to an individual must be adequate, relevant, not excessive and pertinent to the purpose specified.

Guidance

EU Data Governance Act published in official journal

What happened

  • The EU Data Governance Act (DGA) was published in the European Union’s Official Journal this month. It will take effect on 23rd June and will apply to companies 15 months thereafter.
  • The DGA establishes new guidelines for data marketplace neutrality and allows the wider reuse of public sector data, including personal data, with the goal of increasing trust in data sharing for research and other public-interest activities.
  • The DGA creates a framework to adopt a new business model that will provide a secure environment in which companies or individuals can share data.
  • For personal data, it is intended that the model will help individuals exercise their rights under the GDPR, in having full control over their data and allowing them to share their data securely with an organisation they trust.

Why it matters

  • The DGA provisions will expand prospects for EU organisations that make use of public sector data including personal data, as well as facilitating new data sources. Ensuring your organisation has a robust data governance framework in place will be particularly important in manging increased volumes of data.
  • The DGA sets out the requirement to ensure the protection of data is preserved and sets out various methods by can be achieved, including techniques for anonymisation and pseudonymisation in the re-use of personal data.
  • The DGA will be followed by a second legislative proposal focussed on greater data sharing: the Data Act, a draft of which was published by the European Commission earlier this year.
  • Both pieces of legislation are the result of the European Data Strategy, which aims to create shared European data spaces in order to promote data availability across society.

We’d love to hear from you

Natasha is an experienced privacy professional with a proven ability to implement and manage successful data protection compliance programmes across various sectors including the NHS, Local Authority and most recently the insurance industry. She has a strong appreciation of an organisation’s risk appetite and risk culture in day-to-day activities and decisions and has successfully dealt with complex privacy challenges. She is a member of the International Association of Privacy Professionals (IAPP), holding a CIPP/E accreditation and is a certified BCS Practitioner in Data Protection.

To discuss how the areas highlighted in this post, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.

If you have any questions or comments, or if there’s anything you would like to see covered, please get in touch by emailing Xcina Consulting at info@xcinaconsulting.com. We’d love to hear from you.

Natasha King

Data Protection Consultant

Speak to me directly by Email, or
Telephone: +44 (0)20 3745 7826

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>