On 27 September 2022, the Ibero-American Network for the Protection of Personal Data (RIPD) published the Guide for the Implementation of Standard Contractual Clauses for the International Transfer of Personal Data (“Guide“), which sets out certain aspects to be considered when making international transfers of personal data (ITPD) through the use of standard contractual clauses (SCC).
The Guide includes non-binding guidance for those who make ITPD from member countries of the RIPD to non-adequate jurisdictions.
The use of SCC is an alternative to ITPD.
Generally, a country is considered to offer adequate levels of protection when its legal framework allows concluding that personal data (“Data“) is adequately protected.
If the destination country is not recognized as providing an adequate level of protection, then the ITPD may be carried out through a transfer mechanism that provides adequate safeguards or through the application of one of the exceptions provided for in the local regulations.
Among others, the mechanisms that grant adequate guarantees are usually the following:
- Binding corporate rules
- Code of conduct approved in accordance with applicable law
- Certification mechanism
Among others, the purpose of SCC is to ensure and enable compliance with the requirements set forth under the law of the country of the Data exporter (“Exporter”) for ITPD to a country that is not recognized as adequate.
Currently, SCC are the most accessible and widely used legal mechanism for ITPD to non-adequate jurisdictions.
According to the Guide’s SCC, the applicable law must be that of the Exporter’s country. The rationale is that the Data is collected and processed under the law of the country where the Exporter is located, and when Data is transferred to a non-adequate country, it is necessary to preserve the level of protection that the Data has in the country where the Exporter is located.
On the demonstrated responsibility of the parties, the Guide considers the best practices proposed by the RIPD in 2017. The Guide’s SCC state that parties must be able to evidence compliance with the same. In particular, the data importer must, among other things, inform the Exporter if, for any reason, it is unable to comply with the SCC.
The Guide includes SCC for ITPD between controllers and for ITPD from controllers to processors. Drafting of templates of SCC for processor-to-processor and processor-to-controller is foreseen for the future.
As anticipated, the Guide is not mandatory and consequently does not replace national regulations or the guidelines of each country’s enforcement authorities.
To access the Spanish version click here.