GDPR Brief: international “onward” transfers of genomic data under the EU Standard Contractual Clauses

14 Dec 2020

For nearly two decades, the EU Standard Contractual Clauses have been a key legal mechanism for transferring personal data out of the EEA (and now, the UK).  Despite this, the SCCs’ requirements for onward transfers have received little attention.

For nearly two decades, the EU Standard Contractual Clauses (SCCs) have been a key legal mechanism for transferring personal data out of the EEA (and now, the UK).  Despite this, the SCCs’ requirements for onward transfers – i.e. when an initial recipient (a data importer) passes the data to someone else – have received little attention.

That seems set to change: new (draft) guidance from the European Data Protection Board (EDPB) stresses the importance of assessing who might subsequently receive the data being transferred – whether a peer (such as a research collaborator), another database, or even just a vendor (such as a laboratory or a cloud computing provider).  

The SCCs then provide different options to ensure this is GDPR-compliant:

  • The Controller-to-processor (C2P) SCCs require the data importer to obtain an exporter’s consent to the appointment of a sub-processor; the importer must then transpose the SCCs’ requirements into its contract with the sub-processor.
  • The Controller-to-controller (C2C) SCCs (2001 and 2004 editions) are more complex.  They generally prohibit onward transfers unless one of several options are implemented.  These are summarised in the table below.
Basis for onward transfer Practical implications
The onward transferee is covered by an EU adequacy decision Data can potentially be passed on to recipients in places like Israel, New Zealand or Switzerland without extra formalities. Canada and Japan are also permitted destinations, subject to limitations. 
The onward transferee becomes a signatory to these SCCs or another approved data transfer agreement  Unclear whether this literally means adding a party to the exporter’s own SCCs (directly), or just ensuring “back to back” use of SCCs by a data importer with its onward transferees (which has advantages as well as disadvantages).  Directly adding new parties can be made more practical by adding extra provisions to the SCCs, allowing easy adherence by new parties without needing all the existing parties’ signatures.  

Note that it can be difficult to get public bodies (such as clinical trial inspectors, or state-run research institutes) to agree to the SCCs – they might fear this would unacceptably fetter their statutory responsibilities (e.g. impede clinical trial oversight), or expose them to data protection litigation and enforcement in the UK / EEA (raising sovereign immunity issues).

Notice was given to data subjects, giving them a chance to opt out Unless this notice was given when collecting data directly from data subjects, it might often not be practical to notify all data subjects of a new onward transfer – for example long after sample collection or study completion. There will also be a question of what to do if a data subject objects.
With regard to onward transfers of sensitive data, data subjects have given their unambiguous consent This includes health and genetic data.

The drafting of 2004 C2C SCCs possibly makes this the only basis for onward transfers of such data under those SCCs.  In the alternative 2001 version, it is clearer that this is one alternative.  Organisations working with health and genetic data should balance this against the 2001 version’s drawbacks. 

The 2004 version’s ambiguity is thankfully also absent from the (2020) draft SCCs issued by the European Commission. 

Table 1: C2C SCC onward transfer options

In the (2020) draft SCCs just released by the European Commission, those onward transfer options are preserved, and a “docking” mechanism – for easy addition of new parties – is included as standard.  In addition, onward transfers are also permitted to users of other GDPR-compliant transfer safeguard mechanisms, such as Binding Corporate Rules or approved codes of conduct.  The consultation on these “next-gen” SCCs ran until 10th December, and their finalisation is expected in the first quarter of 2021.  

For both current and next gen SCCs, it seems likely that those using the SCCs for genomic data transfers will need to assess and (if necessary) compensate for transfer risks, both for initial exports and – potentially – for onward transfers, applying the Schrems II criteria; they may also need.to stay abreast of and respond to evolutions in those risks over time, especially as foreign laws change.

Further Reading

Relevant GDPR Provisions

Phil Bradley-Schmieg is a senior associate in Bird & Bird LLP’s Privacy and Data Protection Group.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.

Latest News

Logos for the Research Data Alliance (RDA) and GA4GH, which are forming a strategic relationship
11 Jul 2024
GA4GH and the Research Data Alliance (RDA) agree to a Strategic Relationship to advance responsible data sharing
See more
Birds eye view of people walking on a street, connected by a network.
2 Jul 2024
Public attitudes for genomic policy brief: genomic data sharing in Singapore
See more
Puzzle pieces coming together against a binary code background
25 Jun 2024
Uncovering and overcoming common data sharing challenges in the Rare Disease landscape
See more