2018年5月出台的《通用数据保护条例》,对个人数据从欧洲经济区传输到保护不充分的国家时提出新要求。
When the GDPR was introduced in May 2018, new requirements arose for the transfer of personal data outside of the European Economic Area (EEA) to countries with inadequate protections.
如果个人数据传输到保护不充分的目的国/地区时,必须采取与《通用数据保护条例》相同的标准来保护数据。实施保障措施的最佳途径之一是将标准纳入为合同义务。出于这个原因,数据导出与数据导入使用均《通用数据保护条例》标准合同条款。
If you are transferring personal data to an inadequate destination, the requirements mandate that you must first put safeguards in place to protect the data to the same standard as the GDPR. One of the best ways to implement safeguards is by incorporating contractual obligations. For this reason, data exporters use the GDPR standard contractual clauses with data importers.
这些条款起到了很好的保障作用,因为欧盟委员会准备这些文件的明确目的是保护个人数据传输至海外。因此,他们提出:
The clauses work well as a safeguard. This is because the European Commission prepared them with the express purpose of protecting overseas transfers of personal data. Accordingly, they set out what:
①数据导出者必须做到安全导出数据; 和
a data exporter must do to export the data safely; and
②数据导入者必须在收到数据时保护数据。
the data importer must do to safeguard it on receipt.
标准合同条款产生于《通用数据保护条例》出台前,没有考虑《通用数据保护条例》的具体要求,具有局限性。然而,新标准合同条款已经根据《通用数据保护条例》进行了调整。
The drawback of using the old clauses was that they were created before the GDPR. Therefore, they did not contemplate all of the GDPR's specific requirements. The good news is that the new standard contractual clauses have been updated with the GDPR in mind.
标准合同条款变更
Standard Contractual Clauses Changes
标准合同条款一个重要变更是,虽然旧标准合同条款确定在《通用数据保护条例》前,但新版本的调整更好地使标准合同条款与《通用数据保护条例》保持一致,《通用数据保护条例》的更改主要体现在以下三种方式:
One of the key changes to the standard contractual clauses is that while the previous version was prepared before the GDPR, the new version includes updates to better align the clauses with the GDPR. You can see the GDPR driven changes in three main ways. These are as follows:
不同类型的传输模块
Modules for Different Types of Transfers
旧标准合同条款只适用于下列传输:
Previously, the standard contractual clauses only applied to transfers that were either:
欧盟控制者-欧盟境外处理者;或者
EU-controller-to-overseas-processor; or
欧盟控制者-欧盟境外控制者。
EU-controller-to-overseas-controller.
然而,新的标准合同条款包括一系列不同类型的传输途径,包括:
Whereas, the new clauses include modules for a range of different types of transfers, including:
控制者-控制者;
controller-to-controller;
控制者-处理者;
controller-to-pr
ocessor;
处理者-处理者;
processor-to-processor; and
处理者-控制者。
processor-to-controller.
还有一点明确的是,使用新的标准合同条款的各方不要求必须是欧盟的成员国。这意味着,受《通用数据保护条例》约束的澳大利亚企业可以利用新的标准合同条款保护传输向不充分的第三国的数据。
It has also been clarified that the parties do not have to be in the EU to use the clauses. This means that Australian-based businesses, which are subject to the GDPR, can use the clauses to safeguard transfers to inadequate third countries.
新的标准合同条款可作为数据处理协议使用
The Clauses Can Be Used as a Data Processing Agreement
《通用数据保护条例》要求个人数据的控制者和处理者之间通过合同或其他法律行为来约束处理者代表控制者处理个人数据。此外,《通用数据保护条例》还要求合同中包含一些特定的条款,通常通过数据处理协议来体现。
The GDPR requires controllers and processors of personal data to have a contract or other legal act that binds the processor's processing of personal data on behalf of the controller. In addition, there are specific items that the GDPR requires parties to include in the contract. Typically, this is managed by way of a data processing agreement.
除了保障海外传输外,新的标准合同条款还具有充当数据处理协议的作用。因为当中包含了控制者和处理者之间进行数据处理所有所需事项。因此,新的标准合同条款将成为数据处理术语的黄金标准。
In addition to safeguarding overseas transfers, the new clauses work as a data processing agreement. This is because, unlike the old version, they include all the items which need to be put in place between a controller and processor for data processing. Accordingly, it is expected that the clauses will become the gold standard for data processing terms.
在此建议使用标准合同条款作为数据处理协议的基础。不过,可在条款中加上商业条款。只要他们不:
It is likely to be recommended to use the standard contractual clauses as a base for a data processing agreement. However, you can add commercial terms to the clauses. This is as long as they do not:
直接或间接地与标准合同条款相矛盾;或
contradict, directly or indirectly, the standard contractual clauses; or
损害与个人数据相关主体的基本权利和自由。
prejudice the fundamental rights and freedoms of the individuals the personal data relates to.
这意味着可以为数据处理和传输协商更多商业细节和记录更多商业流程。例如,可以就什么是合理通知期限或多久进行一次安全检查进行约定。
This means you can negotiate and document further commercial details and processes for your data processing and transfers. For example, you can agree on what a reasonable notice period is or how often you will perform security checks.
与地方法律和政府当局有关的额外保护
Extra Protections in Relation to Local Laws and Access by Public Authorities
2020年7月,欧盟法院作出了一项称为Schrems II的裁决。由于美国的监管法律对个人数据的传输没有足够的保障措施,Schrems II使欧盟-美国隐私盾协议失效。虽然本案关注的是隐私盾协议,但也涉及到标准合同条款。此外,委员会注意到,与标准合同条款中保障措施相冲突的法律可能会破坏条款提供的保护。因此,Schrems II提出了一项要求,要求对每一项传输进行个案评估,以确定是否存在可接受的保护措施。
In July 2020, the Court of Justice of the European Union handed down a judgement known as Schrems II. Schrems II invalidated the EU-US Privacy Shield on the basis that US surveillance laws meant that there were not sufficient safeguards in place for the transfer of personal data. While the case focused on the Privacy Shield, it also touched on the standard contractual clauses. Further, it noted that laws which conflict with the safeguards included in the clauses might undermine the protections they provide. Schrems II, therefore, introduced a requirement to perform a case-by-case assessment of each transfer to decide whether there are acceptable protections in place.
为了解决政府当局(如执法机关或国家安全机关)和司法管辖区保护不充分的地方法律对准入时矛盾,新的标准合同条款应包括在某种情况下的进一步指示和义务。
To address the concern over access by public authorities, such as law enforcement or national security bodies, and local laws in inadequate jurisdictions, the new standard contractual clauses include further directions and obligations concerning what is to be done in a situation.
但是,这些变更并没有否定对每一项传输的保障措施进行个案评估的必要性。
Note, however, that the changes do not remove the need for a case-by-case assessment of the safeguards for each transfer.
接下来该做什么?
What to Do Next?
随着新的标准合同条款使用和最后期限来临,现在是时候审查当前数据传输及更新文档,以符合最新的条款和Schrems II案例。
With the new standard contractual clauses ready for use and upcoming deadlines, now is the time to review your current data transfers and update your documentation in line with the latest clauses and the Schrems II case.
截止至2021年9月底,首要任务应该是为今后的数据传输修改数据处理协议。之后还需要开始考虑如何以及何时将旧协议变更为新条款,请注意2022年底是最后期限。
With a late September 2021 deadline, your priority should be updating your data processing agreement for future data transfers. Following this, you will also need to start considering how and when you will migrate your old agreements to the new clauses, noting the late 2022 deadline.
新《通用数据保护条例》标准合同条款产生的影响
作者:ProfSimonChoi来源:广东良马律师事务所

2018年5月出台的《通用数据保护条例》,对个人数据从欧洲经济区传输到保护不充分的国家时提出新要求。