Our data protection and GDPR legal experts unpick the latest European Commission changes to standard contractual clauses (SCCs) used for data transfers between EU and non-EU countries.
- Why are standard contractual clauses necessary in data transfers?
- How do the new SCCs differ from the previous ones?
- When can the new EU SCCs be used?
- Can UK data exporters use the new EU SCCs?
- How long before organisations must use the new EU SCCs?
- Contract remediation – practical steps for data exporters
Why are standard contractual clauses necessary in data transfers?
The General Data Protection Regulation (GDPR) imposes restrictions on the transfer of personal data outside the European Union (EU) to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Many organisations use Standard Contractual Clauses (SCCs) as a way to ensure the lawful and secure transfer of personal data to third countries, for instance to transfer personal data to a parent company based in the US, or to a supplier in India.
On 4 June 2021 the European Commission published its final decision adopting new SCCs for the transfer of personal data to third countries (new SCCs). The new SCCs repeal the existing SCCs dating from 2010, 2004 and 2001, and reflect the requirements of the GDPR.
How do the new SCCs differ from the previous ones?
- The new SCCs expressly allow for four different types of transfers, controller to controller, controller to processor, processor to processor and processor to controller. The current version only allowed for the first two types of transfer.
- There is a ‘docking clause’ mechanism, which allows additional parties to be added to the contract. This could be particularly useful for intra-group transfers, for example where a new subsidiary needs to sign on.
- The model terms are consolidated into one document (the current version has one set for each type of transfer) allowing controllers and processors to identify the appropriate clauses that apply on a modular basis.
- A.28 GDPR minimum processor terms are expressly included, whereas the current version are silent on this.
- There is an option to chose the governing law and choice of jurisdiction of any Member State.
- A mechanism to address the issues raised by the Schrems II judgement of the EU Court of Justice is incorporated, including a requirement to carry out and document a risk assessment and adopt supplementary measures if necessary.
When can the new EU SCCs be used?
The new SCCs will be triggered by any data transfer where the data exporter is subject to the GDPR and the data importer is not subject to the GDPR (in a third country).
They can also apply if the data exporter is not established in the EU, but is subject to the GDPR on an extra territorial basis (for example because it intends to offer goods and services to data subjects in the EU).
Can UK data exporters use the new EU SCCs?
The new SCCs don’t cover transfers of personal data from the UK to a third country. Data exporters from the UK should continue to use the current SCCs, however, the ICO has said they will consult on new, UK specific, data transfer agreements this summer.
Transfers from the EU to the UK continue, for the moment, to be covered by the EU-UK Trade and Cooperation Agreement whilst European Commission considers approval of the draft decision to grant UK ‘adequacy’ status. In the event that the UK is not granted adequacy then contracts between EU data exporters and UK data importers may also need migrating to the new SCCs.
How long before organisations must use the new EU SCCs?
- There is transition period of three months from the publication date, during which organisations can use either the new or the old SCCs in unsigned contracts.
- The old SCCs will cease to be valid for future use three months after the publication date of the new SCCs, meaning that any new contracts signed after this time must contain the new SCCs.
- Use of the old SCCs must stop altogether 18 months after the publication date. Organisations should use this time to complete a review and repapering exercise to fully migrate to the new SCCs.
Contract remediation – practical steps for data exporters
- You should assess and map all data flows and transfer arrangements where you are operating as a data exporter (either a controller or a processor) that is subject to the GDPR, and you are transferring data to an importer that is not subject to GDPR (in a third country).
- With regards to any new transfers, you should be ready to incorporate the new SCCs so that the longer term remediation problem does not get any bigger. You should factor the additional time this may incur into any current contract negotiations as the new SCCs involve some new decision meaning it may not be a simple case of swapping one set of SCCs for another.
- For existing arrangements, you should review which data transfers will continue beyond the 18 months and take measures to migrate those arrangements to the new SCCs. It makes sense to prioritise those transfers that relate to key contracts for your organisation, and also those that are due for renewal before the expiry of the 18 months. It may also make sense to take the opportunity to check and update the information contained in the schedules of the current SCCs (for instance, the types of personal data covered by the SCCs, and the security measures in place to protect the data, as these aspects may have developed since the SCCs were signed).
- Identify any ‘gaps’ in the current usage of SCCs i.e. those contracts which ought to have incorporated the SCCs but did not.
- Review your current portfolio of data processing agreements, to map which have the old SCCs incorporated. The new SCCs contain A.28 processing terms and given that the SCCs take precedence over the terms of the DPA there may be a conflict between the substantive terms of a DPA and the new SCCs.
- Be prepared to proactively address the requirements of the Schrems II, in particular you should consider whether any supplementary measures are required to protect a data transfer to a third country in accordance with the Schrems II judgment.
- Factor the uncertainty around the UK position (with regards to both the adequacy status and the intention to consult on UK SCCs) into the project planning.
For some organisations, the above may be a straightforward exercise, for others, it will be more complex. We suggest that you start the review process as soon as possible to ensure you have sufficient time to repaper your contracts where necessary.