1. The data importer shall not subcontract any of its processing operations carried out on behalf of the data exporter in accordance with the clauses without the prior written consent of the data exporter. If the data importer subcontracts its obligations under the Clauses with the consent of the data exporter, it will only do so through a written agreement with the sub-processor that imposes on the sub-processor the same obligations imposed on the Data Importer under the Clauses. If the Sub-Processor fails to comply with its data protection obligations under such a written agreement, the Data Importer will remain fully liable to the Data Exporter for the performance of the Sub-Processor`s obligations under this Agreement. The parties undertake not to change or modify the clauses. This does not prevent the parties from adding clauses to business-related matters if necessary, provided that they do not contradict the clause. 2. The data subject may apply this clause, clauses 5 (a) to (e) and (g), clauses 6, clauses 7, clauses 8(2) and clauses 9 to 12 against the data importer if the data exporter has de facto disappeared or legally ceases to exist, unless a successor company has assumed all the legal obligations of the data exporter by contract or by operation of law. accordingly, it assumes the rights and obligations of the data exporter, in which case the data subject may assert them against that body. This is a procedure adopted by the Article 29 Working Party that allows companies to use contractual clauses based on standard contractual clauses (with certain derogations such as additional clauses) to shape the transfer of data from different EU Member States. The procedure has been put in place to allow the competent data protection authorities to reach a coordinated opinion on the compliance of the proposed contract with the Standard Contractual Clauses 3. The provisions on data protection aspects in the event of subcontracting of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause in accordance with clause 3 for cases where the data subject is unable to assert the claim for compensation referred to in clause 6(1) against the data exporter or data importer because they have in fact disappeared or no longer exist legally or have become insolvent and no successor organisation has assumed all legal obligations of the data exporter or importer by contract or by operation of law. This third-party liability of the sub-processor will be limited to its own processing operations in accordance with the Clauses. The European Commission has approved the use of standard contractual clauses as a means of ensuring adequate protection when transferring data outside the EEA. By including standard contractual clauses in a contract between parties transferring data, personal data is considered protected when transferred outside the EEA or the UK to countries not covered by an adequacy decision. Well, a success for Google, but it`s still a particularly difficult time for organizations trying to ensure that international data transfers comply with data protection laws. Of course, standard contractual clauses in the EU are still subject to challenge. Ireland`s Data Protection Commissioner has initiated proceedings in the Irish High Court following a complaint by Max Schrems against Facebook Ireland Limited`s use of the Standard Contractual Clauses. The hearing opened on 7 February 2017, during which the High Court must decide whether or not to refer the matter to the CJEU. We await the outcome of the hearing and whether the future status of the standard contractual clauses will be resolved or referred back to the CJEU for decision.
(h) provide data subjects, upon request, with a copy of the clauses, with the exception of Annex 2, and a brief description of the security measures, as well as a copy of a contract for subcontracting services to be concluded in accordance with the clauses, unless the terms or the contract contain commercial information, in which case it may delete that commercial information; Standard Contractual Clauses (also known as “Standard Contractual Clauses”, “Model Clauses” or “MCCs”) are a set of standard provisions approved by the European Commission that can be used to comply with legal requirements relating to the transfer of personal data outside the European Economic Area. Google also offers these standard contractual clauses to customers of its business services, including Google Workspace, Google Cloud Platform, Google Ads, and other advertising and measurement products. For more information about Google`s use of standard contractual clauses for business services, see privacy.google.com/businesses. (d) `sub-processor` means any processor engaged by the data importer or other sub-processor of the data importer who agrees to receive personal data from the data importer or another sub-processor of the data importer intended exclusively for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions; the terms of the clauses and the terms of the written subcontract; WP 226 requires the data protection authorities of the Member States concerned to review the clauses and to be managed by the lead authority. The lead authority is either chosen by the applicant organisation on the basis of the criteria established in WP 226 – for example, the place where clauses are decided and elaborated, where most decisions are made on the purposes and means of processing, the “best” location in terms of management and administration. Alternatively, the other data protection authorities involved in the review may designate the most appropriate authority to take the initiative. On 4 June 2021, the European Commission published new Standard Contractual Clauses (SCCs) to help protect personal data. These new CBAs have replaced the CCS previously adopted by the European Commission in 2010 and can be used under certain conditions to facilitate legal data transfers.
By imposing various contractual obligations, THE CCT allow the influx of personal data subject to the GDPR to recipients located outside the European Economic Area (EEA). .