The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Does the GDPR require that I register my model contract clauses with relevant supervisory authorities?
Answer: No. Under the EU Data Protection Directive (the law that predated the GDPR), many member states required companies to register their data processing activities with the member state’s supervisory authority. In addition, if a company intended to send data outside of the European Economic Area, and if the company intended to rely upon the European Commission approved standard contractual clauses to facilitate the transfer, some member states required that the company submit a copy of the standard contractual clause to the supervisory authority to either approve or to have on-file.
The GDPR removes the requirement that controllers submit registrations of data processing activities to local supervisory authorities. Under the GDPR, companies are only required to keep internal records to demonstrate their compliance with the cross-border transfer restrictions imposed by the regulation. Those records may be requested by a supervisory authority and the company is required to cooperate with such request.