Shortly before marking the #DataProtectionDay in January 2020, the Commissioner for Information of Public Importance and Personal Data Protection (the “Commissioner”) passed the Decision establishing Standard Contractual Clauses.
In that way, the Commissioner fulfilled his obligation under the Law on Personal Data Protection (“LPDP”), and Serbia took a step closer to completing the legal framework for personal data protection.
What are standard contractual clauses?
Standard contractual clauses (“SCCs“) represent a contract model that governs the relationship of two parties to the processing of personal data.
Like almost all LPDP decisions, SCCs are not the original legal mechanism of the domestic legislator, but rather an idea taken from GDPR. But while EU law recognizes two types of SCCs, those that govern the relationship between two controllers and those that govern controller – processor relations, the LPDP knows only one type of SCC, and that is those that govern the relationship between controller and processor.
This is an obvious omission by the domestic legislator, which will be particularly obvious in cross-border data transmission, where the existence of SCCs regulating the relationship between two controllers would be of great practical importance as those SCCs relate to situations where the data recipient abroad independently determines the purpose of processing which it performs, while the processor always acts within the purpose of processing previously specified by the controller.
When are SCCs applied?
LPDP stipulates that in the situation when the controller entrusts the processing operations to the processor, such processing must be governed by a contract or other legally binding act, which is concluded or adopted in writing, including an electronic form, which obliges the processor to the controller and which governs the subject and the period of processing, the nature and purpose of processing, the type of personal data and the type of data subject to be processed, as well as the rights and liabilities of the controller.
Thus, the legal relationship of any controller and any processor can be based entirely or in part on SCC. They can be applied as a stand-alone contract or as part of a contract between the controller and the processor, without any modification of the SCCs wording being allowed, otherwise such contract shall not be considered an SCCs within the meaning of the LPDP.
SCCs will be of particular importance in the case of data transfer by controllers based in Serbia to a processor based in a country where an adequate level of personal data protection is not provided, i.e. which are not parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, nor are they on the list of countries or parts of their territories that have been found by the EU to provide an adequate level of protection, i.e. those listed by the Government of the Republic of Serbia.
In such cases, the transfer of data will be possible with the application of appropriate safety measures, i.e. on the basis of the SCCs and without the special approval of the Commissioner.
Notwithstanding the shortcomings of a legal solution that recognizes only one type of the SCCs, the decision of the Commissioner to establish the SCCs will certainly facilitate the transfer of data to certain countries, providing sufficient guarantees to the data subjects.
In addition, it should be noted that the text of the SCCs itself is not sufficient for a valid contract to exist, but the contracting parties must complete appendices to the SCCs and enter certain information about the specific processing of personal data, which must be approached with caution.
This article is to be considered as exclusively informative, with no intention to provide legal advice.
If you should need additional information, please contact us directly.