As per the Chapter 5 of GDPR[1], personal data may only be transferred to third countries or to international organizations from a data controller which falls under the jurisdiction of the European Union (“EU”)/European Economic Area (“EEA”) if the adequate level of protection to data subjects’ rights are provided by appropriate safeguards or under some specific circumstances[2] without appropriate safeguards. Transferring personal data to the countries outside the protection of GDPR is defined as a restricted transfer[3]. In order to conduct restricted transfers, signing Standard Contractual Clauses (“Model Clauses”, “SCC”), which includes a third-party beneficiary clause that enables data subjects to exercise contractual rights even though they are not a party to the contract, is the most practical and simple way to ensure such adequate protection level[4].

European Commission has approved four different Model Clauses to indicate a proof of adequate data protection regarding transfers of personal data to a third country which does not ensure an adequate level of protection as per the Article 26(4)[5] of Directive 95/46/EC[6]. Since Set I Controller to Processor Model Clauses was replaced by Set II Controller to Processor Model Clauses[7] and cannot be used anymore, currently, there are three versions of SCCs which are still in effect and can be used to provide appropriate safeguards pursuant to the Article 46(5) of GDPR including one version for controller to processor and two versions of controller to controller. In this note, Model Clauses will be introduced and basics on Model Clauses will be addressed.

Controller to controller transfers

Controller to controller Model Clauses are designed to be used where both parties are data controllers and the receiving party is subject to a third country’s legal system that does not ensure the adequate protection for data subjects’ rights. These Model Clauses are feasible for B2B operations which includes cross border personal data transfers between parties. For example, where an EU based company and a non-EU based company enter into a business relationship that requires them to send personal data of their employees in order to achieve mutual goals, controller to controller Model Clauses may constitute a legal base for the data transfer. However, if one of the parties acts as a data processor, controller to controller Model Clauses cannot be used for such transfers.

There are two versions of controller to controller Model Clauses which may be used at the choice of the parties depending on the nature of personal data in subject and other factors. Compared to the Set I Controller to Controller Model Clauses[8][9], Set II Controller to Controller Model Clauses[10] has more flexible provisions for parties. While Set I Controller to Controller Model Clauses stipulates joint and several liability for parties, Set II Controller to Controller Model Clauses which was summited by the International Chamber of Commerce and other business associations so that operators would have a more business-friendly SCC option, offers a liability regime that parties would be liable for merely their own breach of their contractual obligations. Moreover, Set II Controller to Controller Model Clauses offers an option for data importers on the laws and regulations which data processing will be conducted in accordance with it under the Clause II(h).

Additionally, parties are free to include any other clauses on business related issues related to all versions of Model Clauses, as long as they do not contradict the genuine provisions of SCCs.

Controller to processor transfers

In order to facilitate a legal base for a restricted transfer, there is one version of Set II Controller to Processor Model Clauses[11][12] that can be used to ensure an adequate level of data protection. For the purpose of providing adequate level of data protection, Set II Controller to Processor Model Clauses stipulates third-party beneficiary right for data subjects that enables them to enforce any breach of the importer, exporter, or even sub processor’s contractual obligations.

Set II Controller to Processor Model Clauses are structured in a way that they can merely be used for the restricted transfers which includes a data exporter as the EEA based data controller and a data importer as the non EEA based data processor. Therefore, such Model Clauses cannot be used for the scenarios where an EEA based processor is transferring data to a non EEA based sub processor[13]. On the other hand, where data is transferred to a non EEA based data processor and afterwards to a sub processor engaged by such non EEA based processor, the sub processor can co-sign Set II Controller to Processor Model Clauses signed between parties. In such scenario, such non-EEA based processor as the data importer shall remain fully liable towards the data exporter for the performance of the sub processor's obligations under Set II Controller to Processor Model Clauses.

Furthermore, controllers have to take into consideration that signing merely Set II Controller to Processor Model Clauses for processing activities shall not release them from their obligations under Article 28 of GDPR. Therefore, signing Model Clauses and fulfilling requirements of data processing contracts in terms of Article 28(3)[14] of GDPR have to be assessed separately and full compliance has to be achieved regarding both provisions of restricted transfer and data processing.