Update Standard Contractual Clauses for international personal data transfers
Still thinking about your New Year’s resolution? Pursuant to the European Commission Implementing Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (outside the EEA) pursuant to GDPR, companies have until 27 December 2022 to replace their current sets of SCCs.
Two important deadlines
One important deadline has already passed. Since 27 September 2021, companies subjected to GDPR that are transferring personal data outside the EEA are obliged to use the “new sets of SCCs” published by the European Commission in June 2021 for (i) all new data transfer agreements, and (ii) all amendments to existing data transfer agreements. Today, the “old SCCs” can thus no longer be used.
The second important deadline is set at 27 December 2022. This means that companies have, as from today, more or less 12 months to replace their existing contracts involving the transfer of personal data to recipients outside the EEA.
Main characteristics of the new SCCs
The new sets of SCCs published by the European Commission:
- Do not only contain controller-to-controller provisions or controller-to-processor provisions, but 4 different “modules”, including modules for use by data processors wishing to transfer personal data to a subprocessor or to a data controller outside the EEA;
- Bring the wording and content of SCCs in line with GDPR;
- Incorporate, in the relevant modules, Article 28 GDPR requirements (meaning that no separate data processing agreement is needed for controller-to-processor or processor-to-subprocessor transfers);
- Reinforce data subject rights (e.g. by including express third-party beneficiary rights);
- Allow additional parties to sign-up to already executed SCCs by means of a “docking clause”;
- Contain, for each of the relevant modules, additional rules regarding “onward transfers” of personal data by the “data importer”; and
- Incorporate wording in the context of the aftermath of the “Schrems II” judgement of the Court of Justice of the EU, referring (among other things) to the execution of data transfer impact assessments by the “data exporter”, with the necessary assistance to be provided by the “data importer” (allowing the parties to take the industry practices, the practical experience of data importer and relevant case law into account when performing such assessment).
Mark your ‘to do list’ for 2022
Mapping and replacing your company’s international data transfer agreements, which are most likely still based on the “old SCCs”, may not be an easy task.
We therefore recommend implementing a step-by-step approach, starting with the creation of an up-to-date inventory of the international data transfers undertaken by your company and the transfer tool (SCCs or other) relied upon for this purpose. Note in this context that, for some countries, like Japan, the UK or South-Korea, SCCs may no longer be required following the adoption of adequacy decisions.
As a next step, consider the relevant “modules” and optional clauses of the new SCCs (e.g. the docking clause) and start gathering the factual information required to complete the various schedules to the SCCs. Likely, when examining your “old SCCs”, this information will no longer be up to date.
Finally, start preparing your data transfer impact assessments and reach out to your “data importer” to gather and examine the legal and factual information required to complete such assessment.
This final step may however require some time to be completed, especially where additional data transfer safeguards need to be implemented and discussions with your “data importer” may not always run smoothly. Noting that the performance of a transfer impact assessment is in fact already an (often neglected) obligation today (regardless of your transfer to the new SCCs), don’t postpone this exercise and keep your New Year’s resolution.
We remain of course available to assist with any further question you may have on this topic.
Stéphanie De SmedtCounsel Attorney at Law
Stéphanie De Smedt, attorney at law, is a member of the Litigation & Risk Management practice group in our Brussels office. She is head for Belgium of the IP/IT & Commercial Contracts Team, the Data Protection Team and the Life Sciences Team.T: +32 2 773 23 77 E: [email protected]
Don't miss out. Stay up to date about our latest news and events.Stay informed