On 4 June 2021, the European Commission published its new data protection Standard Contractual Clauses (SCCs) for General Data Protection Regulation (GDPR) international data transfer compliance. These clauses replace the pre-GDPR clauses published in 2010 and 2014. The new clauses are more fully aligned with the GDPR and the Court of Justice of the European Union’s decision in the Schrems II case of 2020. The clauses came into force on 27 June 2021. From 27 September 2021, all new data protection international transfer arrangements must use the new SCCs. By the end of December 2022, all contracts that transfer the personal data of individuals based in the EU must be updated to reflect the new SCCs. This means that comprehensive data protection updating will be required across a wide range of supply chains.
Key Things to Know about the New SCCs
The key purpose of the new SCCs is to imbed GDPR-compliant and legally binding contractual terms into supply chains and value chains, around the world. The key definitions to understand are Data Exporters (based in the EU) and Data Importers (based outside of the EU). The SCCs are organised into four modules: (a) Controller to Controller, (b) Controller to Processor, (c) Processor to Processor and (d) Processor to Controller. Each module can be used as a stand-alone contract or the modules can be used together to form a more comprehensive agreement.
The new SCCs have a so-called docking clause, that allows Data Exporters and Data Importers to be added to the clauses over time. This allows maximum flexibility. There are clauses in the SCCs that limit and manage onward data transfers and ensure holistic data protection compliance. Another innovation is the need for Transfer Impact Assessments (TIAs), which must be performed and recorded for all personal data transfers from the EU to countries outside of the EU (third countries).
The UK is in a special position because of Brexit, its departure from the European Union. It is now a third country and so the new SCCs do not apply to it. All data transfers from the UK to third countries may still rely on the EU’s old SCCs and the additional requirement of TIAs. In the longer term, the UK will formulate its own guidance and standard clauses for international transfers.
Inside the Standard Contractual Clauses (SCCs) Project
For the largest companies and organisations, similar contract remediation projects took place in 2010, 2014 and between 2015 and 2016 after the Schrems I case invalidated EU/US Safe Harbor. Work may also have been done in the lead up to May 2018, when GDPR fully came into force. Lessons from these previous efforts can inform current and future SCC projects. However, current SCC implementation projects will be more complicated because of the detailed requirements of GDPR, more complex supply chains, modern cloud computing services, the presence of big data stores and the use of modern pseudonymisation, hashing and anonymisation techniques.
For SCC projects, here is the Insider’s Guide to effective planning and delivery:
- The Data Strategy
Companies and organisations should adopt a clear strategy position about their data and international data flows. The new EU SCCs should not be implemented only as a “papering exercise.” The work should complement the strategy and seek savings, economies of scale and innovation. Supply chains could be simplified, international data flows trimmed and data processors audited and removed, if necessary.
- Data Flows, Risks and Records of Processing Activities (ROPA)
Adopting the new SCCs could also allow organisations to put their global data protection compliance credentials to the test. It is an opportunity to mature Records of Processing Activities under Article 30 of the GDPR. Transfer Impact Assessments can be used to risk assess countries, sectors and organisations as a way of identifying, managing and reducing risks. The risk-based approach should be comprehensive and cover political, economic, human rights, regulatory, international sanctions and information security risks. With this information, companies and organisations could then seek to add contractual, organisational or technical safeguards to respond to these risks.
- The Project Plan and The Multidisciplinary Team
Effective SCC implementation requires a clear project plan and resources, including a realistic and flexible financial budget. Even more important, is a multidisciplinary team including the Data Protection Office (or Data Protection Professionals), Information Security, procurement, the legal team, the service managers, audit and compliance teams. The combined knowledge of these teams, when well organised, can add detail and precision to the work. Service managers and procurement teams often know most about contracting partners, because of their day to day experience and often long-established relationships. External advisors and technology solutions may help to expand the expertise and improve benchmarking.
- Communication, Patience and Dynamism
It is important to remember that the EU SCCs will test supply chains and the relationships between Data Exporters and Data Importers. Communication at every level within each organisation and between the contracting parties is vital. A recognition that each party may prioritise and timetable contractual changes differently, is important. The SCC project can also become a place where other important issues are contested. This includes existing contract performance issues, contractual warranties, indemnities, information security schedules, key performance indicators, insurance, price and audit rights. Patience is required and the ability to remember the key reasons for the data sharing and data transfers. Timetables may slip, but each party should retain enthusiasm and dynamism to gain the required signatures and move to contract performance.
For assistance with EU/UK Standard Contractual Clauses Projects, Legal and Regulatory support, EU GDPR compliance, adopting data privacy certifications and Codes of Practice, contact PrivacySolved:
Telephone: +44 (0) 207 175 9771 (London)
Telephone: +353 1 960 9370 (Dublin)