On June 4, 2021, the European Commission adopted its long-anticipated updated Standard Contractual Clauses (New SCCs) for use by organizations transferring personal data outside of the European Economic Area (EEA) to third countries that do not provide adequate protections in respect of personal data. For more information, read our June 10 LawFlash, New European Standard Contractual Clauses Adopted for International Data Transfers.
In this post we look at some of the things that organizations will need to consider when updating their current standard contractual clauses (SCCs).
Use of the New SCCs is mandatory for contracts concluded on and after September 27, 2021. For contracts concluded prior to this date, use of the old standard contractual clauses (Old SCCs) continues to be permitted, subject to the requirement to implement supplementary measures pursuant to the Schrems II judgment.
All Old SCCs must be updated to the New SCCs by December 27, 2022.
Organizations currently negotiating contracts that will conclude prior to September 27, 2021, and which require SCCs will need to decide whether to use the New SCCs in their contract or to use the Old SCCs with the understanding that they will then need to be updated to the New SCCs by December 27, 2022.
The timelines above may seem generous; however, organizations with a significant number of contracts with SCCs may have a lot of work to do to ensure that they are compliant by the December 27, 2022 deadline.
Organizations should undertake a full audit of their contracts under which there are international transfers of personal data to assess what actions are required. Things to consider include the following:
- Do such contracts currently have SCCs in place? If not, are they required?
- What type(s) of transfer are being undertaken? (See Modules section below.)
- Is the personal data subject to the UK General Data Protection Regulation (GDPR), EU GDPR, or both?
- Are Schrems II supplementary measures currently being implemented?
Once the organization understands its current position in respect of SCCs, it should formulate a roadmap to compliance by the deadline.
Early engagement with contract counterparties is encouraged, as is a proactive approach (irrespective of whether the organization is a data controller or a data processor). Starting the review and update process as soon as possible will provide the best chance to achieve compliance by the deadline.
The New SCCs are split into modules that deal with four types of transfer:
- Controller to controller
- Controller to processor
- Processor to processor
- Processor to controller
As part of the contract audit referenced above, organizations should consider what type(s) of transfers arise under their contracts and adopt the appropriate module(s) to achieve compliance.
The New SCCs impose a number of substantive obligations on the parties. As well as undertaking a contract audit to ensure contractual compliance, organizations should ensure that they fully review the requirements of the New SCCs and the obligations that they impose, in order to ensure that the necessary processes and procedures are in place to comply with such obligations.
Schrems II Supplementary Measures
While the New SCCs are designed to work with the Schrems II judgment, organizations will still need to assess whether additional supplementary measures are required in order to provide adequate protections for the privacy rights of individuals whose personal data is transferred pursuant to the New SCCs. Please see the Schrems II section in our June 10 LawFlash for more details.
The UK government has not yet released its own SCCs or confirmed that use of the New SCCs is permitted under the UK GDPR. An update is expected at some point in 2021, which will hopefully provide clarity. As such, the Old SCCs will still need to be used for transfers of personal data that is subject to the UK GDPR out of the United Kingdom to a third country, along with the necessary Schrems II supplementary measures.
Unfortunately, this will leave many organizations that process personal data that is subject to both the EU GDPR and the UK GDPR in a position where they will need to use both the Old SCCs and the New SCCs.
SCCs are not currently required for the transfer of personal data between the EEA and the United Kingdom following the European Commission’s adequacy decision on June 28, 2021. For more information, see our June 29 LawFlash, UK Adequacy Decision for European Data Transfers.