Are there any requirements for completing the Annexes? How detailed should the information be?
ANSWER
The parties must specify the particular data transfer scenarios to which they intend to apply the SCCs. In particular, they should identify the categories of personal data being transferred and the purpose(s) of the transfer (Annex I.A and B).
In addition, the parties must indicate their respective roles (as the data exporter or data importer), including in the case of subsequent additions under the (optional) docking clause (Clause 7).
Data exporters established outside the EU but subject to the GDPR (Article 3(2)) should indicate their EU representative appointed under Article 27 GDPR.
The parties must also identify the competent supervisory authority or authorities in accordance with Clause 13 (Annex I.C). Further information on selecting the competent authority can be found in the answer to Question 38.
Although the SCCs set out general requirements regarding data security and the processing of sensitive data, these requirements should be specified in relation to the particular transfer at issue (Annex I.B and Annex II).
With regard to security, Annex II contains a list of examples of possible measures that may be implemented. The parties are not required to list every one of these measures, but they should describe the measures that are actually implemented by the data importer to ensure an appropriate level of security.
These detailed pieces of information should be included in the Annexes, which, pursuant to Clause 1(d), form an "integral part" of the SCCs.
Before completing the Annexes, the parties should carefully review the Explanatory Notes located on the first page of Annex I and at the beginning of Annex II.
Examples of information that should be included in the Annexes (see also the guidance of the European Data Protection Board, including guidance on transparency and controller-processor relationships):
- Categories of data subjects whose data is transferred: e.g., employees, customers (natural persons), loyalty program participants, individuals subscribed to a newsletter, children receiving information society services, etc.
- Categories of personal data transferred: e.g., first name, last name, email address, telephone number, residential address, national identification number, payment details, health record information, etc.
- Purposes of the transfer and further processing: e.g., detection of unlawful activities, payroll administration, execution of bank payments, customer support, market research, etc.
- Nature of the processing: e.g., storage, recording, publication, combination, sorting, dissemination, etc.
- Retention period or criteria used to determine it: a specific retention period may be defined by legal requirements (e.g., X years). If it is not possible to specify an exact period, the parties should explain how the retention period will be determined, for example, based on industry guidelines, the duration of a data processing agreement, or similar criteria. Where different categories of personal data are subject to different retention periods, each period should be described separately.
The above answer is based on an official document of the European Commission.
You can review it at: https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf
A translated version of this document is also available on our blog under the title: "Standard Contractual Clauses (SCCs) – Questions and Answers".
