Does your business transfer personal data from the EU to third countries?
On 4 June, the European Commission published its long-awaited decision adopting new SCCs for the transfer of personal data from the EU to third countries. The new SCCs repealed the existing SCCs and reflect the requirements of the GDPR.
Key updates include:
- Four different types of transfer are recognised, including ‘processor to processor’ and ‘processor to controller’, as opposed to two
- Controllers and processors can consult a new document to identify the appropriate clauses that apply on a modular basis
- A ‘docking clause’ mechanism allows additional parties to be added to the contract
- A mechanism addressing the Schrems II judgement is included
Data exporters now have three months to stop using the legacy SCCs in any new contracts, and 18 months to ensure their entire portfolio of contracts includes the new SCCs as opposed to the old ones.
Becky White, data protection and GDPR expert at Harper James Solicitors advises: ‘Although the new SCCs address some key deficiencies in the previous set, businesses are now under some pressure to react. Those transferring data from the EU to third countries now have 18 months to review their full suite of commercial contracts, and migrate them to the new SCCs where appropriate. When it comes to new contracts, businesses have only three months to stop using the legacy SCCs altogether, this should be factored into ongoing negotiations as soon as possible. Due to Brexit, the position for UK data exporters transferring data to third countries is unaffected by the publication of the new SCCs due and transfers will continue to be based on the legacy SCCs, although the ICO has confirmed it intends to consult on new UK SCCs shortly.’
Our new guide covers the changes to SCCs in more detail and includes some suggestions on how to approach a contract remediation project. If you’d like help with any aspect of understanding and complying with GDPR, get in touch with our friendly and knowledgeable experts.