It has become common knowledge that the General Data Protection Regulation (2016/679) (GDPR) heavily restricts transfers of personal data outside of the European Union (EU). In the absence of an adequacy decision by the European Commission, the GDPR allows controllers and processors to transfer personal data to a third country outside of the EU only if appropriate safeguards have been provided, and enforceable rights and effective legal remedies are available to the data subjects whose personal data is transferred.
Appropriate safeguards may be provided by using standard contractual clauses adopted by the European Commission. Standard contractual clauses (SCCs) are standardized and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law. They can be used on a stand-alone basis, or controllers and processors can incorporate them into their contractual arrangements with other parties, for instance commercial partners.
In June 2021, the European Commission adopted two sets of Standard Contractual Clauses (SCCs), one of which is considered to provide appropriate safeguards for the transfer by a controller or processor of personal data processed subject to the GDPR (data exporter) to a controller or (sub-)processor whose processing of the data is not subject to the GDPR (data importer). These ‘Transfer SCCs’ include four different modules that cater for most data transfer scenarios: controller to controller (Module One), controller to processor (Module Two), processor to processor (Module Three), and processor to controller (Module Four).
Depending on which module is relied on, controllers and processors outside of the EU that “import” personal data may face notification requirements if they have become the victim of a personal data breach – e.g., as a result of a malware attack:
- In the case of Module One (controller to controller transfers), if there is a personal data breach involving personal data processed by the data importer under the Transfer SCCs, the data importer must take appropriate measures to address the personal data breach, including measures to mitigate possible adverse effects. If the personal data breach is likely to result in a risk to data subjects’ rights and freedoms, the data importer is required to notify – without undue delay – both the data exporter and the supervisory authority identified in the annexes to the Transfer SCCs. To the extent it is not possible for data importers to provide all the information at the same time, they may do so in phases. It will also be important for data importers to indicate in their notification that they are informing the supervisory authority in order to comply with their contractual duty under Module One of the Transfer SCCs – especially if they take the position that their processing of the data is not subject to the GDPR.
In addition to regulator notifications, if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data importer may have to notify the affected data subjects, in cooperation with the data exporter. The data importer is exempt from such notification if it has implemented measures to significantly reduce the risk to the rights or freedoms of data subjects (e.g., data encryption), or if individual notification of affected individuals would involve disproportionate efforts. In the latter case, the data importer is expected to issue a public communication or take similar measures to inform the public of the personal data breach.
It is worth noting that the notification thresholds in Module One are slightly different from those that apply to controllers whose processing is subject to the GDPR. In case of a personal data breach, controllers subject to the GDPR must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the relevant supervisory authority unless the personal data breach is unlikely to result in a risk to data subjects’ rights and freedoms. If the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.
- In the case of Module Two (controller to processor transfers), if there is a personal data breach involving personal data processed by the data importer under the Transfer SCCs, the data importer is required to notify the data exporter without undue delay after having become aware of the breach. If it is not possible to provide all information at the same time, the initial notification should contain the information available at that point, and further information should be provided as soon as it becomes available. Consistent with the GDPR, the Transfer SCCs do not impose a duty on the data importer/processor to notify affected individuals of the breach. However, the data importer is required to cooperate with and assist the data exporter/controller, so that the latter can comply with its obligations under the GDPR, in particular notifying the supervisory authority and, if needed, affected individuals.
- In the case of Module Three (processor to processor transfers), if there is a personal data breach involving personal data processed by the data importer under the Transfer SCCs, the data importer must notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. The data importer must also cooperate with and assist the data exporter, so that the data exporter can comply with its obligations under the GDPR, in particular to notify the controller. The controller can then determine if it needs to notify its supervisory authority and the affected individuals (in case of a high risk).
- In the case of Module Four (processor to controller transfers), if there is a personal data breach involving personal data processed by the data exporter under the Transfer SCCs, the data exporter must notify the data importer without undue delay after becoming aware of it, and assist the data importer in addressing the breach. However, as the data importer’s data processing will typically not be subject to the GDPR in cases where the Transfer SCCs are used, the data importer has no notification duties under the GDPR.
Companies that are using the Transfer SCCs to “import” personal data originating in the EU should be aware of the breach notification requirements that apply to their specific Module(s). Also, they would be well advised to ensure that their Incident Response Plan takes account of these requirements.