On 4th June 2021 the EU Commission published two sets of standard contractual clauses under the General Data Protection Regulation (“GDPR”):
- Standard contractual clauses for international data transfers (“new SCCs”), which is the much-awaited set of SCCs aimed at enabling lawful transfers of personal data outside the European Economic Area (“EEA”).
- Standard contractual clauses between controllers and processors in the EEA (“Model Data Processing Agreement”), which is a template data processing agreement to be used between controllers and processors within the European Economic Area.
Please see below some Q&As with the main aspects covered by these sets of clauses and what they really mean for organisations:
1. What is the difference between these two sets of clauses published by the EU Commission?
The new SCCs are aimed to be used when data is to be exported from a controller or processor in the EEA to a controller or processor outside the EEA, working as appropriate safeguards under Article 45 GDPR. These new SCCs, therefore, replace the previous SCCs approved under the old Directive 95/46/EC and have to be signed unaltered by the parties in order to be valid.
The other set of clauses referred to above as Model Data Processing Agreement, however, do not serve in the context of international data transfers, but they work as a template contract between a controller and a processor within the EEA in line with Article 28 GDPR. Please note that this Model Data Processing Agreement do not prevent organisations from using any other contract that meets Article 28 GDPR requirements. Therefore, unlike the new SCCs, this Model Data Processing Agreement should not entail substantial actions for organisations besides being helpful as a reference model (very unfortunate decision to call them also “standard contractual clauses”).
2. What is the difference between the “old” SCCs and the new SCCs?
While the “old” SCCs were approved under the previous Directive 95/46/EC (in 2001, 2003 and 2010), the new SCCs have been updated to be aligned with the GDPR requirements and contain a broader scope, as they also cover additional types of transfers.
3. What types of transfers are covered by the new SCCs?
The new SCCs are modular and can be used for the following types of transfers provided that the exporter is in the EEA and the exporter outside the EEA:
- Controller to controller (C2C),
- Controller to processor (C2P),
- Processor to sub-processor (P2S), and
- Processor to controller (P2C).
4. Can we still use the “old” SCCs?
According to the implementing decision by the EU Commission, the “old” SCCs can be used for a further 3 months (September 2021). However, it would be advisable to start using the new SCCs as soon as possible.
5. Do we need to update all our existing contracts involving international data transfers?
Yes. Data transfers based on the previous version of the SCCs will have to be updated with the new ones, however, there is a period of up to 18 months (December 2022) to carry out this task.
6. Do the new SCCs provide enough guarantees so that we can “forget” about Schrems II and the EDPB recommendations?
No. While the new SCCs include extra safeguards compared to the old ones, this does not remove the obligation for organisations to assess the legislation of the destination country to determine whether the safeguards contained in the SCCs are sufficient or if supplementary measures should be put in place, in accordance with the CJEU’s Schrems II decision and the Recommendations of the European Data Protection Board on international data transfers.
7. How does this impact UK-based organisations?
The Information Commissioner’s Office or the UK Government have not yet made any pronouncements on these new SCCs, so they would not be valid for transfers from the UK to third countries at this stage. However, it is advisable to stay tuned to see what position the UK takes on these new SCCs. On another note, please note that the ICO announced recently that they are working to produce a new set of UK SCCs. [Update Feb 2022: The UK has approved its new scheme for international data transfers from the UK to third countries, which includes two options: (1) an International Data Transfer Agreement (new equivalent to the EU SCCs in the UK), and (2) a “UK Addendum” that is a short document that can be added to the EU SCCs and would be valid as well to remediate transfers from the UK to third countries].
Nevertheless, if you are a UK organisation importing EEA data, please note that if the UK does not get an adequacy decision before the end of the transition period set out in the EU-UK Trade Deal, the new SCCs may have to be used as safeguards for transfers from the EEA to the UK. [Update June 2021: The UK got an adequacy decision from the EU – this means that data can flow between the EU and UK without putting SCCs in place (please bear in mind that in this case same requirements than for intra-country data sharing apply, which may include signing an Art. 28 GDPR data processing agreement among others)]
8. So, what should we do now?
In general terms the main next steps for organisations should be as follows (please note that the below has been written in June 2021 so please consider this in relation to the time-frames below):
- Within the next 3 months (September 2021): designing a BAU process to ensure that new international transfer arrangements being put in place will be risk assessed and will incorporate the new SCCs; and
- Within the next 18 months (December 2022):
- Mapping all contracts with third parties that need to be remediated, taking the opportunity to also identify all other international data transfers for which there may be no appropriate safeguards in place at the moment;
- Conducting Data Transfer Impact Assessments to identify whether the new SCCs are indeed sufficient as safeguards to remediate the international transfers identified and, where they are not, plan how to incorporate supplementary measures; and
- Updating contracts with all third parties involving international data transfers, incorporating the new SCCs and supplementary measures as required.
In short, this update by the EU Commission goes beyond a mere paper exercise and may involve significant efforts for most organisations. It would be advisable not to leave this as a last-minute thing and start planning now how to address this piece of work.