On the third anniversary of the General Data Protection Regulation, Cooley launched a series of webinar focused on the GDPR.

The GDPR permits the transfer of data from the European Union and the European Economic Area (EEA) to third countries using standard contractual clauses (SCCs), which are a useful mechanism for companies to ensure the international flow of data.

On June 4, 2021, the European Commission published two sets of new SCCs. Below, we detail the 10 things you need to know about them.

#1: What is the difference between the two sets of SCCs? 

One set of SCCs provides a template contract to implement Article 28 of the GDPR, which deals with controller and processor obligations and does not cover the international transfer of data. This first set of clauses is to be used when the data is not exported outside the EEA.

If there is a transfer of personal data outside of the EEA, then the second set of SCCs would apply. These replace the “old” SCCs as a personal data transfer mechanism.

#2: When do we need to start using these new SCCs?

The old SCCs have been repealed with effect from September 27, 2021. We’ve outlined what that means here.

  • New contracts concluded on and after September 27, 2021, must incorporate the new version of the SCCs.
  • Contracts concluded before September 27, 2021, on the basis of the repealed versions of the SCCs will be deemed to provide appropriate safeguards for an additional period of 15 months (i.e., until December 27, 2022), provided that “the processing operations that are the subject matter of the contract remain unchanged and that reliance on the clauses ensures that the transfer of personal data is subject to appropriate safeguards within the meaning of Article 46(1) of [the GDPR].” In practice, this means that:
    • If, after September 27, 2021, the parties make any changes to an agreement incorporating the repealed versions of the SCCs affecting the processing operations that are to be carried out, the parties will be required to update the agreement to replace the repealed versions of the SCCs with the new versions.
    • Where no such changes are made to existing agreements incorporating the repealed versions of the SCCs, those agreements will need to be updated to include the new version of the SCCs by December 27, 2022 at the latest.

#3: Which data transfer scenarios are covered by the SCCs? 

The SCCs follow a modular approach to cater for various transfer scenarios:

  • Controller to controller (C2C)
  • Controller to processor (C2P)
  • Processor to processor (P2P)
  • Processor to controller (P2C)

This is a real innovation, as the old SCCs only contemplated two scenarios (controller to controller and controller to processor).

The SCCs can also be used by controllers or processors not established in the EU, to the extent that the processing is subject to the GDPR – pursuant to Article 3(2) thereof – because it relates to the offering of goods or services to data subjects in the EU or the monitoring of their behavior as far as it takes place within the EU.

#4: What are the main changes compared to the old transfer SCCs?

These are the main changes introduced in the new SCCs:

  • The clauses are finally aligned with GDPR concepts such as transparency, data subject rights, data breaches, etc.
  • The clauses include a Schrems II “toolbox” for carrying out a data transfer impact assessment.
  • There are two new data scenarios – processor to processor (P2P) and processor to controller (P2C).
  • They have a docking clause (Clause 7) that allows multiple parties to sign the SCCs, and there is more clarity regarding onward transfers, although the concept of onward transfer is broader than in the GDPR because it includes transfers in the same country.

#5: Does adopting the DTA SCCs bring you into compliance with Article 28 of the GDPR? 

The EU Commission has explicitly stated in the SCCs that they comply with Article 28 requirements for controller-processor contracts. However, the SCCs may not be sufficient because not all of the Article 28 obligations are explicitly mentioned in the SCCs or fully aligned with the European Data Protection Board (EDPB) position.

#6: When using the new SCCs, are we fine with Schrems II

Following the decision of the European Court of Justice on the Schrems II case, the new SCCs provide that both parties need to complete a data transfer impact assessment. The parties must document the assessment and state that they have taken any relevant contractual and technical supplementary measures (when necessary). It is important to note that to make this assessment, the parties can take into consideration industry practice and past experience of the data importer in relation to requests from public authorities.

#7: What can we expect from the EDPB in relation to these new transfer SCCs? 

The EDBP is likely to use other guidelines to give its interpretation of the SCCs.

#8: How can we best prepare ourselves?

Companies should start mapping their data flows to flag any new data transfers and review existing agreements based on the old SCCs. It’s important to put a project plan in place involving all key stakeholders identifying tasks and timelines (for example, involving your legal and privacy teams in updating new contract templates). One of the main workstreams to consider now is performing data transfer impact assessments, which will need to be documented as required by the SCCs.

#9: Will the SCCs be endorsed by the UK?

The UK Information Commissioner’s Office (ICO) launched a consultation that ended onOctober 7, 2021, on a new international data transfer agreement and guidance that is intended to replace the EU SCCs. The consultation includes an international transfer risk assessment and tool, as well as a UK addendum to the EU SCCs. The ICO has not endorsed the SCCs and, therefore, for the time being, companies that want to transfer data from the UK to third countries need to continue using the old SCCs.

#10: What if we don’t comply?

The transfers of personal data to a recipient in a third country in breach of Articles 44 – 49 of the GDPR can be subject to an administrative fine of up to €20 million (US$23 million) or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Cooley’s cyber/data/privacy group
  • 50+ lawyers globally counseling on privacy, cybersecurity and data protection matters
  • Holistic approach to compliance and security that’s built to preserve and protect enterprise value
  • Market-leading privacy and data breach litigation

Patrick Van Eecke

Tiana Demas

Anne-Gabrielle Haie

Amal Ali

Posted by Cooley