EU data protection legislation applies to the European Economic Area (EEA), which includes all EU countries and third countries Iceland, Liechtenstein and Norway. This directive sets the basis for the management of personal data in the EU. It is the legal framework under which Microsoft transfers personal data from the EU. In accordance with this policy and our contractual agreements, Microsoft acts as responsible for customer data. The client acts as responsible for processing, final ownership and liability for the fact that the data can be legally made available to Microsoft for processing outside the EEA. The European Commission has just published a draft consultation on the updated version of the long-promised standard contractual clauses (SSCs). SSCs are the most commonly used legal mechanism for the transfer of personal data from the EEA to third countries (known as “third countries”). In short, the new CSC has finally caught up with the RGPD, which came into force almost two and a half years ago. As soon as the Commission formally adopts the new SSCs, organizations will have an additional one year to move from the old SCCs to the new SSC. If you make a limited transfer that is not covered by a matching decision or adequate protection, you can only make that transfer if it is covered by one of the “exceptions” under section 49 of the RGPD.
Before you make a limited transfer, you should consider achieving your goals without sending personal data. A British company sells holidays in Australia. It sends the personal data of guests who have purchased the holidays to the hotels they have chosen in Australia to secure their bookings. This is a limited transmission. On the basis of the draft implementation decision, companies have 12 months from the effective date of the new CSSC to replace the existing standard contractual clauses that are currently applicable to international transfers of personal data with the new CSS. The European Commission is due to adopt the new CCS in early 2021. The reform of EU data protection legislation, adopted in 2016, offers a diverse set of mechanisms for transmitting data to third countries: adequacy decisions, standard contractual clauses, binding business rules, certification mechanism, codes of conduct, “derogationen”, etc. You can make a limited transfer if you and the recipient have entered into a custom contract for a specific limited transfer, which has been approved individually by the country`s control authority for exporting personal data.
If you make a limited transfer from the UK, the ICO must have approved the contract. The EU has drawn up specific provisions for cross-border data flows and privacy-protected data, which will be presented in international trade negotiations. The new CSC clearly outlines the obligations of the controller and subcontractor. In many cases, the English-language version of the new SSC is clearer than the English-language version of the RGPD itself. U.S. companies with little knowledge of the RGPD – for example, companies that receive personal data from the EU but do not themselves fall within the territorial jurisdiction of the RGPD – will find it easier to understand their concrete obligations under the SSCs. The clarity of the new SSC is a marked improvement over the RGPD`s wave of contractual hands, which is a feature of many agreements with EU personal data. A British tour operator offering tailored travel arrangements can count on this exception to send personal data to a hotel in Peru, provided that he does not regularly ensure that his guests stay at this hotel.