Adopting the new Standard Contractual Clauses to secure international personal data transfers
Recently, the European Commission issued an implementing decision on standard new contractual clauses (“SCCs”) for the transfer of personal data to countries outside the European Economic Area. Organisations need to use the new SCCs from 27 September 2021 and onwards. Transitional periods apply for existing international data transfer agreements. To meet their obligations under the General Data Protection Regulation, organisations need to make the appropriate changes in time.
The European Commission issued an implementing decision on standard new contractual clauses (“SCCs”) on 4 June 2021 for the transfer of personal data to countries outside the European Economic Area, including the United Kingdom. As a result:
- From 27 September 2021, any international data transfer that is based on the SCCs transfer mechanism will need to be based on the new SCCs. In addition, if an amendment is made to an existing data transfer agreement from this date, the former SCCs will need to be replaced by the new SCCs;
- By 27 December 2022, the new SCCs need to be incorporated into all international data transfer agreements, irrespective of when these agreements were concluded. Any existing agreements incorporating the former SCCs need to be replaced by this date.
To comply with the General Data Protection Regulation (“GDPR”), organisations must map and review their international data transfers and the corresponding transfer mechanisms in order to make the appropriate changes in time.
Compliance, Schrems II, new SCCs and the most important changes
Using standard contractual clauses does not automatically make an international data transfer compliant with the GDPR. The parties mustadequately assess and document any international data transfer and must address the corresponding risks and take supplementary measures to the extent required. Schrems II and the European Data Protection Board’s (“EDPB”) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”) and Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Essential Guarantees”) provide relevant criteria in that regard.
The impact of Schrems II on international data transfers has been taken into consideration in the new SCCs, together with the need to align the former SCCs with the GDPR and bring them up to date with developments in the digital economy. The new SCCs provide a framework to structure what are termed ‘transfer impact assessments’ (“TIA”), and they shed light on parties’ obligations to conduct such a TIA.
The most important changes in the new SCCs are:
- Broadened scope: The new SCCs supplement the existing controller-to-controller (“C2C”) and controller-to-processor (“C2P”) modules with processor-to-processor (“P2P”) and processor-to-controller (“P2C”) modules.
- GDPR alignment: The new SCCS closely align with the terminology and provisions of the GDPR and have incorporated the requirements of Article 28 GDPR into the C2P and P2P modules.
- Docking clause: The new SCCs facilitate multi-party configurations by allowing new parties to accede to the international data transfer agreement between the existing parties throughout the lifecycle of the agreement.
- Transfer impact assessment: The new SCCs specify the requirement to conduct a transfer impact assessment. Data exporters and data importers need to assess whether the laws and practices of the third country pose a barrier to the data importer’s compliance with the new SCCs. The new SCCs list certain matters that need to be taken into account in that regard, ranging from the circumstances of the transfer to the nature of the parties and personal data involved, and from the laws and practices of the third country of destination to the existence of any supplementary measures. The EDPB’s Recommendations and the Essential Guarantees provide additional guidance on these aspects of the assessment.
- Active accountability: The new SCCs make clear that data exporters and data importers need to be able to demonstrate compliance with the new SCCs from the outset and on an ongoing basis. The new SCCs lay down the responsibilities and obligations for the data exporter and data importer; for example, the data importer’s obligations to perform a legality review and its notification and documentation obligations when it receives a legally binding request to access personal data from competent authorities.
- Explicit data subject rights: The new SCCs now explicitly mention that, upon request, data subjects must be provided with a copy or a meaningful summary of the international data transfer agreement. In addition, they need to be notified in the event of a high-risk data breach as well as of any access request by competent authorities (if permitted).
Actions to be taken
To the extent not already done, it is recommended that organisations ensure that:
- they review and map their data transfers and the corresponding transfer mechanisms;
- from 27 September 2021, any new international data transfer agreement incorporates the new SCCs;
- any alteration of an existing international data transfer agreement prior to 27 December 2022 needs to include replacing the former SCCs with the new SCCs;
- counterparties to existing international data transfer agreements are informed that the former SCCs will need to be replaced by the new SCCs no later than 27 December 2022;
- they collect the information necessary to complete any documentation, such as choosing the appropriate new SCCs module and relevant options within this module, etc.;
- they conduct and document a TIA for every international data transfer to ascertain that data importers can actually fulfil the obligations in the new SCCs; and
- they familiarise themselves with their obligations under the new SCCs and set up procedures to ensure that these can be satisfied, including periodic compliance reviews.
With special thanks to Roosmarijn Hobbelen.