Strasbourg, 17 May / mai 2022                                                                      T-PD(2022)1rev2Mos

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION

OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING

OF PERSONAL DATA COMITÉ CONSULTATIF DE LA CONVENTION POUR LA PROTECTION

DES PERSONNES A L’ÉGARD DU TRAITEMENT AUTOMATISÉ

DES DONNÉES A CARACTÈRE PERSONNEL

CONVENTION 108+

Compilation of Comments on

Standard Contractual Clauses for Transborder Flows

Compilation des commentaires sur les

Clauses contractuelles types relatives aux flux transfrontières de données

TABLE OF CONTENT / TABLE DES MATIÈRES

UNITED KINGDOM / ROYAUME-UNI 3

EUROPEAN COMMISSION / COMMISSION EUROPÉENNE.. 5

UNITED KINGDOM / ROYAUME-UNI

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION

OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING

OF PERSONAL DATA

CONVENTION 108+

Standard Contractual Clauses for Transborder Flows[A1]

(…)

STANDARD CONTRACTUAL CLAUSES[A2]

(…)

PART I - GENERAL CLAUSES

Clause 1.  Purpose and scope

1.1.        The aim of these standard contractual clauses is to ensure compliance with the requirements for the transfer of personal data to a non-state- Party under Convention 108+ (hereinafter the Convention).

These[A3] contractual clauses provide an appropriate level of protection for the transfer of personal data followingunder Article 14(32)(b) of the Convention.

1.2. Description of the transfer

(…)

1.3. Purpose of the transfer

(…)

Clause 2. Definitions

(…)

Special categories of data[A4] (or Sensitive data): (i) related to Genetic data, or (ii) personal data relating to offences, criminal proceedings and convictions, or related security measures; or (iii) Biometric data uniquely identifying a person; or (iv) personal data for the information they revealing data relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life.

(…)

EUROPEAN COMMISSION / COMMISSION EUROPÉENNE

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION

OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING

OF PERSONAL DATA

CONVENTION 108+

Standard Contractual Clauses for Transborder Flows of Personal Data

COUNCIL OF EUROPE

CONVENTION 108+

STANDARD CONTRACTUAL CLAUSES

(…)

Data Eexporter information

Company[A5]:

Address:

City, Country, zip code:

Email:

Data importer information

(…)

By the signatures of their authorized representatives[A6] below, the parties agree to be bound by the terms of this agreement.

Data Eexporter

By Name:

Title: [xxxx][A7]

(…)

NOTE:

These contractual clauses have been drafted with a view to provide a model for standardised safeguards ensuring an appropriate level of protection for the transfer of personal data to a recipient that is subject to the jurisdiction of a State which is not non Partyies tof Convention 108 (as amended) following the standards established bypursuant to its Article 14(3) (b) of Modernised Convention 108[1]. According to this provision, such a level of protection can be ensured by approved standardised safeguards provided by legally-binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing. They therefore require the approval by a national authority of the Party [of the Data exporter/where the Data exporter is located] in line with domestic law.

(…)

Clause 2. Definitions

(…)

Data processing: any operation or set of operations performed on personal data, such as the collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, or destruction of, or the carrying out of logical and/or arithmetical operations on such data. Where automated processing is not used, Data processing means an operation or set of operations performed upon personal data within a structured set of such data which are accessible or retrievable according to specific criteria.[A8]

Data importer: is the natural or legal person, [public authority, service, agency or any other body], located in a non-state Party,  to which the personal data is transferred from the Data exporter.Data importer: The Controller or Processor located in a non-Party[A9] to whom the Data exporter transfers Personal data.

(…)

Data subject: an identified or identifiable individual whatever his or her nationality or residence[A10].

(…)

Data breach: Aany accidental or unauthorised access non-authorized access to, destruction, loss, use, modification or disclosure of Personal Ddata due to a violation of the principle of data security[A11], in which sensitive, protected data or confidentialPersonal data is copied, transmitted, viewed, stolen or used by an individual or entity unauthorized to do so.

(…)

Genetic data:

(…)

[Source: Article 14.1 of the Convention, Par. 102. of Explanatory Rep]Transborder flows of personal data[A12]: the transfer, making available or disclosure of pPersonal data to a recipient subject to the jurisdiction of another State.

(…)

Non-Party: a country that has not ratified the Convention or where it is not fully in force[A13]. OPTION : [].

(…)

Onward transfer:

(…)

Party (or Parties): each of the signatoriesy of these Clauses[A14].

(…)

Supervisory authority/ies:

(…)

Third-Pparty Bbeneficiary: the Data subject whose Personal data is the object of transborder data flows under these Clauses[A15] an International transfer.

Clause 3. General clauses

3.1.  Invariability of the Clauses

These Clauses set out appropriate safeguards, including enforceable dData subject rights, obligations for data cControllers, obligations for data pProcessors[A16] and effective legal remedies, pursuant to Article 14(32)(b) of the Convention and, with respect to data transfers from controllers to controllers, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Annexes.

(…)

Interpretation

(…)

In the event of a contradiction between these Clauses and the provisions of any related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail. The exception to this is where the conflicting termsprovisions of thesuch related agreements provide greater protection for the Data Ssubject’s rights, in which case those termsprovisions will override[A17] these Clauses.

(…)

Clause 4. Accession clause

An entity that is not a Party to these Clauses may, with the agreement of the other Parties, accede to these Clauses at any time, either as a Data exporter or as a Data importer, by completing and signing the form available in Annex 2, and, if required[A18], updating the data description[A19] of Annex 1.

(…)

Clause 5. Third-Pparty Bbeneficiaries

The Parties agrees and acknowledge that (a) any Data subject whose Personal data was part of an international data were transferred under these Clauses shall be entitled  to invoke the safeguards and guarantees set out in these Clausesto assert rights and remedies hereunder as a Third-party beneficiary with respect to any provisions of these Clauses affording a right, action, claim, benefit or privilege[A20] to such Data subject and (b) the jurisdiction established in Clause 25. is for the benefit of the Data Subject and the Parties shall not challenge such recognition of jurisdiction.

The jurisdiction established in Clause 25 is for the benefit of the Data Subject and must allow for tThird-party beneficiary rights. Tthe Parties shall not challenge such recognition of jurisdiction[A21].

SECTION II – RIGHTS AND OBLIGATIONS OF THE PARTIES

Clause 6. Data protection safeguards

(…)

The Data exporter represents that it has the right to transfer the personal data to the Data iImporter in accordance with theise Agreement Clauses[A22] and the Applicable law.

(…)

Clause 11. Data security

The Data importer, and, during transmission also the Data exporter, shall ensure that the Controller, and where applicable the Processor, takes[A23]adoptadopt appropriate security measures, both of a technical and organizational nature, to protect against risks such as accidental or unauthorized access to, destruction, loss, use, modification or disclosure of pPersonal data.

In particular, the Data importer shall adopt appropriate specific security measures, both of a technical and organizational nature, for each processing, taking into account: in particular the nature of the potential adverse consequences for the individual, the nature of the pPersonal data, the volume of pPersonal data processed, the nature, context and purposes of processing, and the risks involved in the processing, including the degree of vulnerability of the technical architecture used for the processing, and the need to restrict access to the data[A24]., requirements concerning long-term storage, and so forth.

The security measures mentioned above should take into account the current state of the art of data-security methods and techniques in the field of data processing[A25]. Their cost should be commensurate with the seriousness and probability of the potential risks. Security measures

should be kept under review and updated where necessary.

(…)

Each Party shall provide that tThe Controller Data importer shall notifiyes, without delay, at least the Data Exporter, who will notify the competent Supervisory Authority  of those data breaches which may seriously interfere with the human rights and fundamental freedoms of data subjects.[A26]

(…)

[Source: Article 7 of the Convention, Paragraph 65 of the Explanatory Report]

If the Ddata breach is likely to result in a significant risk for the rights and freedoms of individuals, (such as discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage), the Data importer, and alsoif [necessary/required] [in cooperation with/with the assistance of] the Data Exporter[A27], shall notify the Data subjects involved in the Data breach and  provide them with adequate and meaningful information on, notably, the contact points and possible measures that they could take to mitigate the adverse effects of the Data breach.

[Source: Paragraph 66 of the Explanatory Report]

(…)

Clause 12. Special categories of data Sensitive data

(…)

Such safeguards must guard against the risks that the processing of sensitive special categories of data may present for the interests, rights and fundamental freedoms of the data subject notably a risk of discrimination[A28].

The Parties have agreed on the safeguards shall set out these measures in Annex 4[A29].

These safeguards may include, for instance, alone or cumulatively (i) the data subject’s explicit consent for the processing of sensitive data; (ii) a professional secrecy obligation; (iii) measures following a risk analysis; (iv) a particular and qualified organizational or technical security measure (e.g. data encryption, pseudonymisation), (v) limiting  the personnel permitted to access the Sensitive data, and (vi) additional restrictions with respect to further disclosure according to the nature of the data.

(…)

Clause 13. Onward transfers

The Data importer shall not disclose the pPersonal data to a third party recipient located in a non-state- Party unless the third party is or agrees to be bound by these Clauses.the third party ensures an appropriate level of protection in line with Article 14 of Convention 108+.[A30]

(…)

Clause 15. Documentation and compliance

(…)

The Data importer guarantees that it has examined the likely impact of intended data processing on the rights and fundamental freedoms of Data subjects prior to the commencement of such processing and has designed the data processing in such a manner as to prevent or minimize the risk of interference with those rights and fundamental freedoms.

(…)

Clause 16. Use of sub-processors[A31]

(…)

Clause 167 – Rights of the Data subjects

           

(…)

b) to obtain, on request, at reasonable intervals and without excessive delay, confirmation of the processing of Personal data relating to him or her, the communication in an intelligible form of the data processed and transfer, all available information on their origin, on the preservation period as well as any other information that the controller Data importer is required to provide in order to ensure the transparency of processing in accordance with these Clauses[A32];

c) to obtain, on request, knowledge of the reasoning underlying data processing[A33] where the results of such processing are applied to him or her;

(…)

fg) to benefit, whatever his or her nationality or residence, from the assistance of a Supervisory authority within the meaning of these Clauses, in exercising his or her rights under these Clauses[A34].

g) to obtain a copy of these Clauses[A35][A36].

hh) Tto be provided with information on a contact person on the staff of both Parties[A37], whose responsibility it is to ensure compliance with the substantive standards of protectionletters (a) to (g) of this Clause[A38]. The Data subject would be free to contact this person at any time and at no cost in relation to the data processing or transfers and, where applicable, obtain assistance in exercising his or her rights.

The Data importer shall take appropriate measures to facilitate the exercise of data subject rights. In particular, it shall inform Data subjects, through individual notice or on its website, of a contact point authorised to receive requests in the exercise of their rights. Unless otherwise indicated above[A39], the Data importer, if required with the assistance of the Data exporter, shall deal with any requests it receives without undue delay, and in any event within one month of the receipt of the request. Any information provided to the Data subject shall be in an intelligible and easily accessible form, using clear and plain language.

(…)

Clause 178. Redress for the Ddata subject

           

(…)

The alternative mentioned in the paragraph above does not excludeor alter the right of the Data subject afforded by these Clauses, the Convention and the Applicable law to bring lodge a claim at the Supervisory Authority/ies or at the courts of the applicable jurisdiction. [A40]The Data importer shall abide by a decision that is binding under the Applicable law.

(…)

Clause 1920. Supervisory authority

(…)

The Parties hereby consent that the supervisory authority is entitled to request that any of the Parties the person who transfers data demonstrates the effectiveness of the safeguards or the existence of prevailing legitimate interests and that the supervisory authority may, in order to protect the rights and fundamental freedoms of data subjects, prohibit such transfers, suspend them or subject them to conditions.[A41]

[Source: aArticle 14.(6) of the Convention]

The Parties agree to submit to the jurisdiction of the Supervisory authorities and not to question its powers, its jurisdiction as established by the Applicable law or these Clauses, or any other action including any forms of co-operation between supervisory authorities as provided by the Applicable law and article 15 and 17 of the Convention.

[Source: article 15 and 17 of the Convention],[A42]

(…)

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 201. Local laws and practices affecting compliance with the Clauses

The Parties warrant that they have no reason to believe that the laws and practices in the non-state -Party  of destination[A43] applicable to the processing of the pPersonal data by the Data importer, including any requirements to disclose pPersonal data or measures authorizing access by public authorities, prevent the dData importer from fulfilling its obligations under these Clausess and the Convention. This should include full and joint liability for any material and non-material damages made by the Parties or which occurred to the data subject in relation of the use of the Clauses.[A44]

(…)

(ii) the laws and practices of the third country of destinationnon-Party[A45] – including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(…)

(e) The dData importer agrees to notify the dData exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the non-State Pparty [A46]or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(…)

Clause 212. Obligations of the dData importer in case of access by public authorities

(…)

SECTION IV – FINAL PROVISIONS

Clause 223. Non-compliance with the Clauses and termination

           

(…)

(e) Either Party may revoke its agreement to be bound by these Clauses where the Supervisory authority adopts a decision pursuant the Applicable law that covers the transfer of pPersonal data [A47]to which these Clauses apply. This is without prejudice to other obligations applying to the processing in question under the Applicable law.

(…)

[OPTIONALClause 256. Dispute resolution between the Parties through Arbitration [OPTIONAL]

[OPTION 1]

[WIPO CLAUSE]

Arbitration clause for B2B conflicts

Any dispute, controversy or claim between the Parties arising under, out of or relating to these Clauses and any subsequent amendments of this contract, including, without limitation, its their formation[A48], validity, binding effect, interpretation, performance, breach or termination, as well as non-contractual claims, shall be referred to and finally determined by arbitration in accordance with the WIPO Arbitration Rules. The arbitral tribunal shall consist of [a sole arbitrator][three arbitrators]. The place of arbitration shall be [specify place]. The language to be used in the arbitral proceedings shall be [specify language]. The dispute, controversy or claim shall be decided in accordance with the law of [specify jurisdiction].[A49]

(…)

The alternative mentioned in the paragraph above does not exclude or alter the right of the Data subject afforded by these Clauses, the Convention and the Applicable law to lodge a claim of any kind at the Supervisory Authority/ies or at the courts of the applicable jurisdiction.[A50]

(…)

The alternative mentioned in the paragraph above does not exclude or alter the right of the Data subject afforded by these Clauses, the Convention and the Applicable law to lodge a claim of any kind at the Supervisory Authority/ies or at the courts of the applicable jurisdiction.

[A51]

Clause 267. General Provisions

[These are standard clauses in contracts. These may be merged with the general clauses of the first section of the SCC in order not to have two general sections[A52]]

(…)

All Amendments and Waivers in Writing. Except to the extent expressly set forth in this Agreement, no provisions in either Party’s business forms, letter or communications employed by either Party will supersede the terms and conditions of this Clauses. Any waiver by either party of a breach of any provision of this Agreement must be in writing.[A53]

Severability. If any provision of this Clauses is held invalid by a court with jurisdiction over the Parties to this Clauses, such provision will be deemed to be restated to reflect as nearly as possible the original intentions of the pParties in accordance with the Convention and Applicable law[A54], and the remainder of this Agreement will remain in full force and effect.

Entire Agreement. No representations or statements of any kind made by either pParty that are not expressly stated herein will be binding on such pParty. The Parties agree that these Clauses constitute the complete and exclusive statement of the Agreement between them, and supersedes all proposals, oral or written, and all other communications between them relating to the subject matter hereof.[A55]

Authority. Each pParty hereby represents and warrants that the execution, as applicable, delivery and performance by such pParty of this Agreement is within its corporate powers and has been duly authorized by all necessary corporate action on its part.

(…)

The  Annexes, Appendices, and  footnotes to this Agreement  constitute an integral part of this Agreement. All the Annexes to these Clauses are an integral part of these Clauses. Capitalised terms will have the meanings given to them in cClause 2.

***

(…)

Annex 2

Accession form

(…)

By the signatures of their authorized representatives below, [Company name] agrees to become, with immediate effect, a Party to and agrees to be bound by the terms of, the Contractual clauses for transborder flow of personal data from controller to controller[A56]International data transfer Agreement as if it had originally been party to the Clauses.

(…)

(…)

Measures for allowing data portability [A57]and ensuring erasure]

Annex 4

Measures for sSensitive data

[These safeguards may include, for instance, alone or cumulatively (i) the data subject’s explicit consent for the processing of sensitive data[A58]; (ii) a professional secrecy obligation[A59]; (iii) measures following a risk analysis; (iv) a particular and qualified organizational or technicaladditional security measures [A60](e.g. data encryption, pseudonymisation), (iiv) limiting  the personnel permitted to access the Sensitive data, and (viii) additional restrictions with respect to further disclosure according to the nature of the data].

(…)

Annex 54

LIST OF SUB-PROCESSORS

[ONLY FOR MODULE 2 & 3 to be drafted after concluding model C2C - This annex has to be completed by the Parties  

if they agree to pre-authorize sub processors]