How to implement the new Standard Contractual Clauses?

For years, the most common basis for legally transferring personal data from the EU to the USA, India or China has been an agreement based on the Standard Contractual Clauses developed by the European Commission (SCC).

In the Schrems II case, the Court of Justice of the European Union (CJEU) held that, although the SCC are still valid, they cannot be applied indiscriminately and those using them must assess whether the third country provides personal data protection at a European level.

And so, on 4 June 2021, the European Commission adopted a new set of SCC to ensure compliance with new legislation. Consequently, all old SCC must be replaced with new ones by 27 December 2022. In the case of large enterprises, this means hundreds and sometimes thousands of contracts having to be signed in line with the new version.

Please note that failure to implement the new SCCs by the deadline may give rise to the following risks:

• Regulatory/legal risks – administrative financial penalties imposed by the supervisory authority;
• PR risk – reputational damage caused by a penalty or public information on inadequate protection of personal data transferred outside the EEA;
• Business risk – loss of business partners’ trust due to inadequate personal data protection.

New SCC. Scope of changes.

The main aim of introducing the new SCC is to ensure adequate safeguards for the transfer of personal data to countries outside the EEA in the absence of a European Commission decision finding that the country has an adequate level of protection. This translates into changes to the structure of contracts and their scope of application.

• The new SCC allows parties to adapt to circumstances using four different, standalone configurations:
  • Controller – Controller
  • Controller – Processor
  • Processor – Controller
  • Processor – Processor
• The newly defined modules contain all the data processing elements set out in Article 28 of the GDPR. Therefore there is no need for an additional data processing agreement.
• The changed clauses can be the basis for transferring personal data even if the controller or exporter is not based in the EEA.
• The choice of law and place of jurisdiction is no longer dictated by the place of business of the data exporter. Even jurisdictions outside the EEA can be considered for the transfer of data from processor to controller.
• The data recipient must inform the data exporter and, where possible, the data subject (with the help of the exporter, if necessary) if it receives a legally binding request for disclosure from a public authority.
• Given their flexibility and modern modular design, the new SCC introduce the requirement to conduct a documented transfer impact assessment (TIA). A TIA is a multi-faceted assessment of the circumstances of, e.g. the transfer of data, the law and practice in the third country.

Implementation of the new SCCmeasures

Entities transferring personal data to third countries should review the basis for the transfers and, if necessary, conclude new contracts using the new SCC applicable from 27 September 2021.

In view of the current transition period ending 27 December 2022, parties that concluded contracts before 27 June 2021 may continue to use the old SCC. Still, they are required to carry out an additional adequacy assessment and implement any necessary supplementary measures as referred to in the EDPB 01/2020 recommendations.

After 27 December 2022, all data transfers based on old SCC must be changed to the new SCC.

What steps to take with the new SCC?

Companies from outside the EEA importing personal data based on the old SCC should make every effort to implement the necessary changes to enable personal data to be transferred legally to third countries before the end of the transition period. In order to do so, it is necessary to identify all existing contracts used based on the old SCC and to decide whether the transfer of data described in them will continue after 26 December 2022. If it is to continue, it is crucial to set an appropriate time limit for updating.

Despite these changes and the high-profile SchremsII judgment, few international companies are aware of the seriousness of the situation. It is therefore worth enlisting the help of qualified legal advisers to guide companies through the rigorous process.

How we can help with the new SCC

Our specialist team advises clients on personal data protection.

We support our clients in, e.g.:

• analysing current and planned personal data transfers to countries outside the EEA in terms of data protection requirements,
• conducting TIAs in accordance with, inter alia, IAPP methodology,
• assessing the law and practice in the third country,
• customising SCC,
• devising solutions other than SCC to mitigate the risk of data transfers being challenged, e.g. by making use of other mechanisms provided for in the GDPR.