Multijurisdiction: Ibero-American Network for the Protection of Personal Data - Standard contractual clauses for the international transfer of personal data

In brief

On 27 September 2022, the Ibero-American Network for the Protection of Personal Data (RIPD) published the Guide for the Implementation of Standard Contractual Clauses for the International Transfer of Personal Data ("Guide"), which sets out certain aspects to be considered when making international transfers of personal data (ITPD) through the use of standard contractual clauses (SCC).

The Guide includes non-binding guidance for those who make ITPD from member countries of the RIPD to non-adequate jurisdictions.


Contents

In focus

The use of SCC is an alternative to ITPD.

Generally, a country is considered to offer adequate levels of protection when its legal framework allows concluding that personal data ("Data") is adequately protected.

If the destination country is not recognized as providing an adequate level of protection, then the ITPD may be carried out through a transfer mechanism that provides adequate safeguards or through the application of one of the exceptions provided for in the local regulations. 

Among others, the mechanisms that grant adequate guarantees are usually the following:

  • SCC
  • Binding corporate rules
  • Code of conduct approved in accordance with applicable law
  • Certification mechanism

Among others, the purpose of SCC is to ensure and enable compliance with the requirements set forth under the law of the country of the Data exporter ("Exporter") for ITPD to a country that is not recognized as adequate.

Currently, SCC are the most accessible and widely used legal mechanism for ITPD to non-adequate jurisdictions.

According to the Guide's SCC, the applicable law must be that of the Exporter's country. The rationale is that the Data is collected and processed under the law of the country where the Exporter is located, and when Data is transferred to a non-adequate country, it is necessary to preserve the level of protection that the Data has in the country where the Exporter is located.

On the demonstrated responsibility of the parties, the Guide considers the best practices proposed by the RIPD in 2017. The Guide's SCC state that parties must be able to evidence compliance with the same. In particular, the data importer must, among other things, inform the Exporter if, for any reason, it is unable to comply with the SCC.

The Guide includes SCC for ITPD between controllers and for ITPD from controllers to processors. Drafting of templates of SCC for processor-to-processor and processor-to-controller is foreseen for the future.

As anticipated, the Guide is not mandatory and consequently does not replace national regulations or the guidelines of each country's enforcement authorities.

To access the Spanish version click here.


Copyright © 2022 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.