Last update: 16 June 2021
Following the GDPR becoming applicable in May 2018 and the Court of Justice of the EU's ruling in Schrems II in July 2020, the long awaited new Standard Contractual Clauses (New SCCs) have finally been published. These New SCCs will come into effect on 27 June 2021.
The prior SCCs were designed before the GDPR saw the light and, although they were upheld in the Schrems II case, the prior SCCs lacked in reliability and practicability. The New SCCs allow for more types of transfers of personal data using a modular approach, instead of the more rigid and limited scope of the prior SCCs.
The European Commission published two sets of New SCCs, which will apply as of 27 June 2021:
- Data transfer mechanism for transfers to third countries: The first set deals with transfers of personal data outside the European Economic Area (EEA) to recipients in countries without an adequate level of data protection (adequacy decision of the Commission). This set replaces the current SCCs. The set should enable the transfer of personal data to recipients in third countries by providing sufficient contractual safeguards for the protection of personal data.
- Data processing agreement: The second set is designed to meet the requirements of article 28 GDPR (data processing agreements with processors). It can be used when a controller engages a processor, regardless of whether a transfer of personal data takes place outside the EEA.
Our focus in this newsletter is on the first set, thus for data transfers to third countries. It will be mandatory to transition to these New SCCs, in absence of other instruments to legitimize data transfers to third countries.
What are the main changes for the first set of New SCCs?
Adequacy and supplementary measures assessments. In view of the Schrems II ruling, the New SCCs provide a new section in comparison to the prior SCCs, dealing with ensuring local laws of the importing third country do not prevent the data importer from fulfilling the requirements of the New SCCs and, thus, do not impede on the essentially equivalent level of data protection that should be guaranteed.
It is required that:
(i) Parties warrant that local laws do not prevent the data importer to fulfill the applicable requirements,based on an understanding of those laws and that those laws do not exceed what is necessary and proportionate in a democratic society. For this assessment, the following should be taken into account:
a. the specific circumstances of the transfer;
b. the laws and practices of the destination country; and
c. any relevant contractual, technical, or organizational safeguards should be put in place. If local laws may intervene with privacy rights of data subjects, parties must adopt appropriate supplementary contractual, technical or organizational measures. The newly introduced Annex II provides examples of supplementary safeguards, including encryption, certification, testing and logging:
(ii) the data exporter determines that the data importer is able to fulfill its requirements;
(iii) the data importer uses best efforts to provide the data exporter with relevant information and cooperation;
(iv) the local law assessment is documented and made available to the competent data protection authority upon request.
These requirements show that the local law and supplementary measures assessments are still required and merely formalize the results of the Schrems II ruling. It is also good to note that the European Data Protection Board (EDPB) is expected to publish the final version of its guidance on the assessment of the possible supplementary measures end June 2021.
Modular and multi-party/accession structure. Data exporting parties can now choose a module within the New SCCs that is applicable to the nature of their exports and only use the relevant clauses of this specific module.
(i) Module 1 deals with controller-to-controller transfers.
(ii) Module 2 deals with controller-to-processor transfers.
(iii) Module 3 is to be used for processor-to-processor transfers; and
(iv) Module 4 is to be used for processor-to-controller transfers.
The prior SCCs did not provide the means for exporting processors to ensure legal compliance and often created challenges when trying to implement SCCs within large intra- or extra-group relations. The New SCCs with its modular design do take the complex data ecosystem of companies more into account.
Additionally, the New SCCs allow for new parties to be added to the ontract over time (called the "docking clause") and explicitly allow for more than two parties to enter into the New SCCs, which is also useful in onwards transfers to other parties.
Geographic scope. The prior SCCs could only be used if the data exporter was established in the EEA. The New SCCs allow non-EEA data exporters to enter into SCCs, i.e., with another non-EEA data processor or non-EEA controller, which finally addresses the extraterritorial scope of application of the GDPR to non-EEA controllers.
Very detailed specification required. Annex I of the New SCCs handles the specification of the parties, transfers, competent authority and, probably most importantly, the requirement for data importers that onward their transfers to sub-processors to specify the subject matter, nature and duration of these sub-processor transfers. This requires from companies processing and controlling data more extensive data mapping and more transparency. Based on Annex II, it will become required for the contracting parties to be very specific about the organizational and technical measures to be implemented to protect personal data. Lastly, Annex III sets out a list of sub-processors for which the data exporter must give specific authorization to the data importer. This list can be used instead of the general authorization to engage sub processors, yet not mandatory when implementing New SCCs.
Data processing agreement not required. The prior SCCs could only be used for the international transfer of personal data to third countries. On top of the requirements for international data transfers to third countries, the relevant modules of the New SCCs also cover the requirements for data processing agreements when engaging a processor under article 28 GDPR. This means that it will not be required to also conclude a data processing agreement with non-EEA processors if parties conclude the New SCCs, but the New SCCs still allow parties to make additional arrangements that do not conflict with the New SCCs.
More extensive data breach notification requirements. In the New SCCs additional personal data breach requirements have been added, especially to non-EEA controllers. In controller-to-controller situations, the data importer will be required to report personal data breaches to the data exporter as well as the competent supervisory authority, and also to the data subjects if it is likely to result in a high risk for the rights and freedoms of natural persons.
What to do and when to do it?
The Implementing Decision provides that the New SCCs will come into force on 27 June 2021. The Commission then provides an 18 month-transition period (thus until 27 December 2022) to replace current contracts that rule current data transfers. This seems generous, but given the significant changes compared to the prior SCCs, we advise organizations to start preparing the replacement of current contracts as soon as possible. Please also note that, if in the three months after 27 June 2021 your organization initiates new data transfers, these new data transfers may still rely on the prior SCCs. In practice this means that any organization that starts to transfer data outside the EEA after 27 September 2021, must rely on the New SCCs. In short:
- Map all data transfers to third countries based on the old SCCs;
- Asses the duration of the underlying service agreement(s) and accompanying continuation of data transfers;
- Start using the New SCCs for relevant new agreements with data transfers to third countries;
- In any case, do not use the old SCCs for new agreements with data transfers to third countries after 27 September 2021;
- Transition any old SCCs in already existing agreements/data transfers to the New SCCs at least before 28 December 2022.
Do you have any questions about the tNew SCCs? Please contact one of our Privacy Team members.