Templates for New Standard Contractual Clauses now available9th June 2021
Have you been waiting, uneasily, for the new SCCs to enable the compliant transfer of personal data outside of the EAA, if so, your wait is over.
For those that need a reminder, Standard Contractual Clauses or SCCs are template data transfer agreements that allow data exporters to transfer personal data to countries outside of the EEA – specifically to countries that don’t already have an ‘adequate’ level of data privacy regulation in their country, as decided by the European Commission.
SCCs were most recently in the news in July 2020 when data privacy activist Max Schrem had his case (most commonly referred to as Schrem II) upheld. This meant that the previous mechanism for exporting data from Europe to the US, known as Privacy Shield, was no longer deemed adequate. The result of this is that SCCs are now needed if you are transferring data to America.
The new clauses replace the old SCCs, which were initially designed more than ten years ago and were no longer fit for purpose (for example, they referred to legislation that is no longer in effect).
The result is that The European Commission has published a new set of Contractual Clauses, which reflect both the requirements of the GDPR and also the impact of the Schrems II decision.
The new SCCs are much more modular than the old ones they replace. This makes them much more practical to use, particularly if there is a complicated process. The variety of different situations include:
- Controller to controller
- Controller to processor
- Processor to controller
- Processor to processor
The challenge for organisations is that this new tailored SCC approach will require careful thought and attention as they place significantly more legal obligations on all parties to the contract. Such as requiring parties to perform due-diligence not just on the data exporter and importer but also on any Third country to which the data is being transferred, this is referred to as the ‘double due diligence test’.
Need to know
The European Commission has given organisations approximately 18 months to comply with the new SCCs, but they can and should be used for new agreements from 27 June 2021.
Any agreements you have in place on the old SCCs will need replacing with the new ones by December 2022.
While the modular approach is more practical, it does mean that the organisations can no longer get away with simply copy and pasting what went before. Each agreement needs to be carefully considered in its own right, with particular emphasis now being put on you doing the due diligence on the country into which you are exporting the personal data.
Brexit has complicated matters for UK organisations, but put simply, if a Controller or Processor in the EEA wishes to transfer data to the UK and we do NOT achieve an adequacy decision from the EU, an agreement between the UK and EEA organisations will need to be in place which includes the new SCC’s. If we obtain an adequacy decision this will not be necessary. Unless that is, we are forwarding the data to a Third Country in which case SCC’s will need to be in place between all parties.
If a UK organisation wishes to share non-EU citizens data with a Third country then we will need to issue the UK version of the SCC’s which the Information Commissioner’s Office intends to issue later this year. It is highly likely that the UK SCC’s will align very closely with the EU SCC’s. The ICO will be consulting on the content of the SCC shortly.
We will advise you of these as soon as we become aware of what the ICO decides.
Need to do
While the modular approach does make the SCCs a more workable solution for overseas personal data transfer, there is much forethought that needs to go into the creation of your new SCCs. Here a few of the considerations you ought to be considering:
As an initial task, we suggest that it would be sensible to do an audit and plan along the following lines so that you are prepared for when (not, ‘if,’ because it will happen, sooner rather than later), the ICO decides on what the UK version will be.
- Document what SCCs you have in place already. Make a plan to begin replacing them. Certainly, start doing your due diligence on the receiving country/organisation to see how adequate their privacy processes are. This is an excellent time to make sure you don’t have any missing. Are you moving any personal data inside / outside of the EEA?
- Create a process for informing data subjects about the revised SCCs and ensure you can supply them with a summary copy.
- Ensure all of your compliance procedures are clearly documented and evidenced.
- Create questionnaires to send to data importers as part of your due diligence procedures.
There is a lot to be aware of in a constantly evolving data governance landscape. If you’d benefit from the peace of mind and additional support available from working with specialists in this field, please contact us here at The Griffin House Consultancy to take advantage of your complimentary 30-minute consultation.