Case analysis GDPR: Is there a need to have standard contractual clauses in the Binding Corporate Rules and Code of Conduct?

1. Question:

The standard contractual clauses edited by the European Commission (Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) have a clause 14 that gives specific obligations on the shoulders of both exporter and importer in a matter of data protection in the third country of destination of the data. However, such a clause is not there in the Binding Corporate Rules (BCRs) and the code of conduct (CoC). Is there a requirement to introduce such kind of clause in the BCRs and CoC?

2. Analysis:

2.1 Introduction
(EU) 2021/914 of 4 June 2021 is a decision by the European Commission that has adopted new standard contractual clauses (SCC) for the transfer of personal data to third countries. These new clauses are intended to provide organizations with a GDPR-compliant mechanism for transferring personal data to third countries while also ensuring adequate protection for the individuals whose personal data is being transferred. Clause 14 of these SCC sets out specific obligations for the exporter and importer of the data in terms of data protection in the third country of destination. It also ensures that individuals are informed about the possibility of lodging a complaint with a supervisory authority. However, such a clause is not included in BCRs or CoC. BCRs are a different mechanism that can be followed for transferring personal data from the EU to third countries, and codes of conduct are voluntary that organizations can adopt to demonstrate compliance with data protection laws.
The question thus arises whether there is a need to have such clauses in the BCR and CoC also.

2.2 Discussion
BCRs are a specific type of corporate rule that allows organizations to transfer personal data from the European Union (EU) mainly to their own affiliates or subsidiaries located in third countries that do not have an adequate level of data protection. BCRs are approved by the data protection authorities of the EU Member States, and they provide a legally binding framework for protecting personal data in these organizations.

On the other hand, codes of conduct are voluntary codes of conduct that organizations can adopt to demonstrate compliance with data protection laws. They can be developed by industry associations, trade unions or other representative bodies and are adopted by organizations wishing to demonstrate their commitment to data protection. They are designed to provide a set of standards that organizations can adopt to ensure that they are meeting their legal obligations to protect personal data.

Both BCR and codes of conduct are not mandatory for transferring data to third countries and are different from standard contractual clauses (SCCs). SCCs are to be followed for transferring personal data from the EU to third countries that do not have an adequate level of data protection. Organizations that want to transfer personal data from the EU to a third country must use the SCCs and comply with the obligations set out in Clause 14.

While BCRs and codes of conduct are not legally required to include a clause similar to Clause 14 of the SCCs, they may include similar requirements for data protection. The General Data Protection Regulation (GDPR) set out the legal requirements for transferring personal data to third countries and does not specifically require BCRs and codes of conduct to include a clause similar to Clause 14 of the SCCs. However, organizations are required to ensure that personal data is protected to the same standard as it would be within the EU, even when transferred to third countries. Hence, it is essential to note that even when using BCRs or codes of conduct, organizations must also comply with all other applicable data protection laws, including the GDPR and the laws/ regulations of the third country.

Even though it may not be required to have a similar clause in BCR or code of conduct, however, having a clause similar to it could provide several benefits:

  • Clarity and consistency: Having a similar clause in BCRs and codes of conduct would provide a clear and consistent set of obligations for organizations that transfer personal data to third countries. This would make it easier for organizations to understand their obligations and ensure that they are complying with data protection laws.
  • Greater transparency: A clause similar to Clause 14 of the SCCs would require organizations to provide information to demonstrate compliance with data protection laws. This would increase transparency and make it easier for data protection authorities and individuals to understand how personal data is being protected when it is transferred to third countries. This would also increase the accountability of organizations that handle personal data, which would enhance trust in their ability to protect personal data.
  • Simplifying compliance: By having similar clauses in BCRs and codes of conduct, organizations would be able to comply with data protection laws more easily. This would reduce the administrative burden of having to comply with different sets of rules for different types of data transfers.

Few additional points to consider when deciding whether or not to include a clause similar to Clause 14 of the standard contractual clauses (SCCs) in BCRs and CoC:

  • The feasibility of implementing such a clause should be analyzed
  • Specific risks associated with the personal data being transferred to third countries. Certain obligations may be more important than others depending on the country and the nature of the data being transferred. For example, if the data being transferred is sensitive in nature, such as health data, it may be considered to include additional protections in BCRs and codes of conduct to ensure that the data is adequately protected.
  • Data protection authorities’ guidance: Reference should be made to any guidance or recommendations provided by data protection authorities in their jurisdiction regarding the inclusion of such a clause in BCRs and codes of conduct.
  • Industry standards and best practices: it should be considered whether including such a clause is consistent with industry standards and best practices.

3. Conclusion
As already mentioned, including such a clause in BCRs and codes of conduct would provide a clear and consistent set of obligations for organizations that transfer personal data to third countries, as well as better protection for personal data, greater transparency, and simplifying compliance. It would also enhance trust among individuals, customers, and regulators. This
would also mean that organizations would have a clearer understanding of what they need to do to demonstrate compliance with data protection laws, which would reduce the risk of errors or misunderstandings. Also, regular reviews of BCRs and codes of conduct should be done to ensure they are still meeting the requirements of the GDPR and other data protection laws as
they may evolve over time. While it is important to note that including such a clause in BCRs and codes of conduct is not
mandatory. However, organizations still have to comply with the GDPR and other data protection laws when transferring personal data to third countries without including such a clause. It is important for controllers and processors to carefully consider the laws and practices in the third destination country when transferring personal data and to ensure that they comply with the GDPR. This means that controllers and processors should ensure that the personal data is transferred in a manner that respects the essence of the fundamental rights and freedoms of individuals and that does not exceed what is necessary and proportionate in a democratic
society to safeguard one of the objectives listed in Article 23(1) of the GDPR.

In summary, while it is not necessary to introduce a specific provision addressing this issue in the BCRs or codes of conduct, having such specific clauses also in BCR and code of conduct may be beneficial for certain things, as was listed earlier in 2.2 above (for ex. clarity, transparency, compliance).

Comment

The views in all sections are personal views of the author.