GDPR Brief: standard contractual clauses for transferring genomic and health data (March 2020 bonus brief)

17 Mar 2020

SCCs can make data transfers to any country possible, including to recipients not covered by the EC adequacy decision for their country (e.g. US recipients not registered in the Privacy Shield). Nevertheless, the Court of Justice of the EU has yet to decide whether SCCs alone establish an adequate level of protection for personal data or if the recipient country’s legal system also requires analysis.

Genomic and health data transfers from the EU to third countries (outside the EU/EEA) require data  processing to comply with the general requirements of the GDPR in connection—where relevant—with member state law, and with existing transfer requirements. The latter ensure that the level of data protection does not fall below that guaranteed by the GDPR, even if data leaves the EU/EEA.

Not all third countries provide an adequate level of protection. If a specific country’s level of protection has not been acknowledged as adequate, data transfer may nevertheless be possible, usually because appropriate safeguards are provided, along with enforceable rights and effective legal remedies for data subjects. Only 13 countries fall outside this category, all covered by European Commission (EC) adequacy decisions with varying scopes of application.

The EC can rule that standard contractual clauses (SCCs) offer appropriate data protection safeguards for international data transfers. It has issued SCCs for transfers from EU data controllers to non-EU/EEA controllers and for transfers from EU controllers to non-EU/EEA processors. These were issued under the GDPR’s predecessor, Directive 95/46/EC, but remain in force under the GDPR.

When using SCCs, both data sender and receiver sign up to the contractual obligations. While the contracting parties are released from having to negotiate individual terms, they can still include additional clauses provided these do not contravene the SCCs, allowing research organisations some flexibility.

SCCs can make data transfers to any country possible, including to recipients not covered by the EC adequacy decision for their country (e.g. US recipients not registered in the Privacy Shield). Nevertheless, the Court of Justice of the EU has yet to decide whether SCCs alone establish an adequate level of protection for personal data or if the recipient country’s legal system also requires analysis.

Furthermore, fixed SCC terms covering jurisdiction and audits may make signing up difficult for data importer research organizations, e.g. US government agencies. Additionally, when considering onward transfers—i.e. the initial non-EU/EEA data recipient sharing data with new research collaborators—SCC rules lack clarity (particularly the 2004 controller-to-controller version). Some suggest that if sensitive data is involved, consent should be obtained from the data subjects. Lastly, all current forms of the SCCs are premised on the data exporter being a controller. This creates challenges for EU-based study sites and data hosting/analytics providers when dealing with non-EEA customers, as they are increasingly positioning themselves as processors.  

The EC’s current work on updating SCCs for the GDPR might help settle these issues. As long as the EC does not adopt new SCCs, the current model clauses and their templates remain valid. A side agreement can update the terminology of the controller-processor model clauses to the GDPR and incorporate the new obligations it creates without affecting the SCCs’ validity. Any changes that go beyond these adaptations or editorial alignments intended to integrate SCCs into comprehensive contracts require individual authorization by supervisory authorities, to avoid contradicting the SCCs or limiting data subjects’ rights.

Research organizations in certain member states may have options beyond the EC-issued clauses. The GDPR also allows national supervisory authorities to adopt SCCs, though these must be approved by the EC to ensure safeguards for transfers to third countries.

Standard Contractual Clauses by the European Commission

• 2001/497/EC
• 2004/915/EC
• 2010/87/EU

Further Reading

• Jane Reichel. “Oversight of EU medical data transfers – an administrative law perspective on cross-border biomedical research administration.” Health Technol (Berl). 2017;7(4):389–400.

Relevant GDPR Provisions

• Article 28 – Processor 
• Article 46 – Transfers subject to appropriate safeguards
• Article 93 – Committee procedure

Fruzsina Molnar-Gabor is research group leader at the Heidelberg Academy of Sciences and Humanities and lecturer at Heidelberg University’s Faculty of Law.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.