For many US-based multinational organizations, EU-approved Standard Contractual Clauses (“SCCs”) have long represented a relatively straightforward solution for the compliant transfer of personal data of EU residents to the organizations’ US headquarters. Unfortunately, SCCs do not provide a solution for the all-too-common scenario in which the US entity retains an EU service provider to perform services which include the transfer of EU resident personal data to the US. Processor-to-Controller SCCs simply do not exist. However, many US entities have been entering into SCCs for this type of scenario for years with the incorrect belief that doing so would meet their data transfer obligations under the EU Data Protection Directive and later, the General Data Protection Regulation (“GDPR”).
In order to make such transfers in a compliant manner, organizations may need to re-think their transfer strategy and amend existing agreements in which the transfers are based incorrectly on SCCs. With scrutiny of SCCs by EU Data Protection Authorities (“DPAs”) set to increase in coming months following the Schrems II decision, organizations receiving EU personal data from service providers based in Europe should take steps now to reduce their risk of violations.
Options are somewhat limited for organizations seeking to make this type of transfer in line with applicable requirements. For some transfers, data subject consent may be viable, but this would apply only in limited circumstances (e.g., where the transfer of personal data is not repetitive and limited in volume). Binding Corporate Rules may facilitate solutions allowing an entity to receive EU personal data in their ex-EU affiliates, but BCR approval by DPAs is a time consuming and often expensive undertaking.
The SCC Solution
A viable solution for many organizations with affiliates in the EU is the combination of an Inter-Company Data Transfer Agreement containing SCCs, combined with a contract with the EU-based service provider (the data processor) which contains required GDPR Article 28 provisions (a Data Processing Agreement). The structure, depicted in the diagram below, requires that an EU entity (the data controller) be a party to the contract with the service provider. Note that the US entity may be a party to the contract, but the EU entity must be a party.
The personal data of EU residents may either be collected directly by the third-party service provider or provided to the service provider by the EU controller. The transfer to the US (or other country outside of the EU) is made by the service provider, but only on the clearly documented direction of the controller, detailed in the contract between the parties. The service provider/processor is “stepping into the shoes” of the EU controller, essentially becoming its agent.
The Inter-Company Data Transfer Agreement should be carefully drafted to detail the types of transfers that may be made under the agreement. It must also include GDPR Article 28 terms, as well as both Controller-to-Processor and Controller-to-Controller SCCs, each applicable to the type of transfer being made in specific instances (i.e., will the importing affiliate company determine the means and purpose of processing upon receipt of the personal data, or will it act on the instructions of the EU-based affiliate?). The Inter-Company Data Transfer Agreement should also address steps that should be taken if the entities are acting as Joint Controllers with regard to the data being transferred.
The Schrems II decision has left many multi-national organizations struggling to find an adequate and compliant approach to ex-EU transfers of personal data of EU residents. With Privacy Shield invalidated and SCCs set to come under increasing scrutiny from DPAs, companies contracting with EU-based service providers that will export EU personal data need to focus on establishing a viable, workable structure to support such transfers. A well-drafted Inter-Company Data Transfer Agreement, including Article 28 provisions and SCCs, will set the groundwork for such transfers. In particular, this structure will support transfers in circumstances in which an EU affiliate is a party to a contract with the service provider which contains Article 28 terms and clear direction on the purposes and means of the processing and the transfers.