Don't Forget to Use the New SCCs to Transfer EU Personal Data as of September 27, 2021

Wilson Sonsini Goodrich & Rosati
Contact

Wilson Sonsini Goodrich & Rosati

As of September 27, 2021, companies relying on Standard Contractual Clauses (SCCs) to transfer personal data outside the European Union (EU) must use the new Standard Contractual Clauses (New SCCs) when signing data processing agreements. As a result, it is time to update template data processing agreements to ensure that your company can meet this deadline.

In practice, companies should consider:

  1. Carefully analyzing the New SCCs to assess how they can comply with the new requirements, selecting the appropriate module(s), and completing the relevant annexes.
  2. Updating existing template data processing agreements to ensure that any new contract concluded as of September 27, 2021, relies on the New SCCs.
  3. Completing a Data Transfer Impact Assessment(s) for any relevant transfer of EU personal data.
  4. Developing a plan to update existing agreements and replacing the old SCCs with the New SCCs by December 27, 2022.

Background

Companies exporting and importing EU personal data must comply with EU data transfer restrictions by implementing a data transfer mechanism to transfer personal data from the EU to a country that is not considered to provide an adequate level of protection. Most countries outside the EU, including the U.S., are not considered to provide such a level of protection under EU law.

Various mechanisms exist for the transfer of EU personal data. Following the Schrems II decision, which invalidated the EU-U.S. Privacy Shield, the most popular tool is the SCCs. Schrems II also created an obligation for companies to take measures to ensure that the SCCs are effectively complied with. More information on the Schrems II decision is available here. In interpreting this decision, the European Data Protection Board strongly recommended that companies conduct Data Transfer Impact Assessments (DTIAs), which are becoming widespread.

On June 4, 2021, to account for the General Data Protection Regulation (GDPR) and the Schrems II decision, the EU Commission issued New SCCs that became effective on June 27, 2021. More information on the New SCCs is available here.

The New SCCs provide for a transition period allowing companies to continue using the old SCCs. This transition period expires on September 27, 2021, meaning that as of that date, companies must use the New SCCs for data transfers when entering into new data processing agreements. Existing agreements that rely on the old SCCs must be updated by December 27, 2022. However, if the processing operations change before December 27, 2022 (e.g., new categories of data added, new parties added, etc.), companies must transition to the New SCCs at the time of the changes.

Our privacy and cybersecurity practice routinely advises on EU data transfers restrictions and can help you tackle the challenges raised by this fast-moving area. 

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.