Employers beware!
Those who rely on the old standard data protection clauses for the transfer of employee data to third countries should take action as soon as possible. In June 2021, the Commission published new standard data protection clauses. For employers still using the old standard data protection clauses, the Commission has granted a transition period of 18 months to adapt the standard data protection clauses. The deadline ends in the course of the next year.
Need for justification when processing employee data
Personal data of employees may only be processed if a justification exists under data protection law. In employment relationships, the main justification is provided by Section 26 (1) Sentence 1 of the German Federal Data Protection Act (“BDSG”), according to which personal data of employees may be processed if this is necessary for the decision on the establishment of an employment relationship, after the establishment of the employment relationship for its implementation or termination, or for the exercise or fulfillment of rights or obligations arising from a law or a collective agreement. Data processing of employee data may also be based on consent or under the further conditions of Art. 6 DSGVO.
Additional requirements for transfers of employee data to third countries
Further requirements must be met, if employee personal data is to be transferred to a third country. For such a data transfer, it is sufficient, for example, if servers of a processor in a third country are used for data processing.
A third country is defined as any country outside the European Union (“EU”). The GDPR provides that any transfer of personal data to a third country is only permitted if the controllers and potential processors comply with the conditions set out in the GDPR. In particular, for third countries that do not have an adequate level of data protection of their own, the responsible employer or its processor must provide appropriate safeguards to ensure that, as far as possible, the employees concerned do not suffer any disadvantages as a result of the data transfer to the third country in relation to the level of data protection under the GDPR.
The EU has adopted so-called adequacy decisions for numerous third countries. This applies, among others, to Switzerland and the United Kingdom, Canada, Israel, Japan and also New Zealand. Personal data of employees may thus be transferred to these countries without further approval, provided that the other provisions of the GDPR are complied with. However, such adequacy decisions are missing for important partner countries such as the USA, China or Australia. Especially the large tech companies from the USA are often used by employers as processors. Transfers to these countries therefore require additional appropriate safeguards as defined by the GDPR.
Threat of fines and claims for damages
If personal data is transferred to a third country without appropriate safeguards, there is a threat of fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total worldwide annual turnover in the previous financial year, whichever is higher. In addition, affected employees may be entitled to additional compensation for pain and suffering and damages.
Solution via the use of so-called standard data protection clauses
One method of choice for creating suitable guarantees is to agree on so-called standard data protection clauses, which are issued by the European Commission in a separate procedure. The main advantage of these standard data protection clauses is that, if they are used, there is no need to apply for approval from the supervisory authority for the transfer.
Old, insufficient standard data protection clauses
Until recently, the following standard contractual clauses issued by the European Commission existed:
- Standard contractual clauses for the transfer of personal data to third countries according to Commission Decision 2001/497/EC of 15.6.2001, OJ 1995 181, 19 (so-called Set I).
- Standard contractual clauses for the transfer of personal data to data processors in third countries pursuant to Commission Decision 2010/87/EU of February 5, 2010, OJ 2010 L 39, 5.
However, since the ECJ’s judgment in Schrems II (ECJ (Grand Chamber), Judgment of July 16, 2020 – C-311/18 (Facebook Ireland u. Schrems)), it was clear that these standard data protection clauses did not represent a “simple solution” (anymore), as they no longer offered sufficient protection against data access by authorities of a third country, according to the ECJ.
New standard data protection clauses
Due in part to the aforementioned weaknesses, the Commission therefore developed and published new standard data protection clauses for transfers of personal data to third countries at the beginning of June 2021, which are now intended to be in line with the GDPR and the requirements formulated in the “Schrems II” decision. Employers who transfer personal data of their employees to other EU countries are thus to be provided with better legal handling and more effective data protection measures. In the future, there will be four modules to choose from:
- Module 1: Transfer from controllers to controllers.
- Module 2: Transfer of data from data controllers to data processors
- Module 3: Transmission from processors to processors
- Module 4: Transmission from processors to controllers.
The completion of the annexes is particularly important. This is where the real work takes place. In the annexes, information about the data processing must be specified in concrete terms (Annex I), technical and organizational measures must be specified for each data transfer/category of data transfer (Annex II – Technical and organizational measures, including to ensure the security of the data), and a list of sub-processors (Annex III) must be completed.
Conclusion and need for action
For employers who have not kept any safeguards at all so far or who still use the old standard data protection clauses, there is now a need for action if they do not want to run the risk of falling victim to the significant fines and sanctions.
The original standard data protection clauses (from Decision 2001/497/EC and Decision 2010/87/EU) were repealed on 27 September 2021 (Article 4(2) and (3) of the Implementing Decision on standard contractual clauses). Employers still using the old standard data protection clauses were granted a transition period of 18 months by the Commission to adapt the standard data protection clauses (Article 4(4) of the Implementing Decision on standard contractual clauses). The period ends on September 27, 2022.
Employers should therefore consider taking action soon. We will be happy to support you…