June 2021 – On 4 June 2021, the European Commission updated its standard contractual clauses for transfers of personal data to third countries and also released new standard clauses for controller-to-processor relationships. As data transfer standard contractual clauses (“SCCs”) can easily be incorporated into data processing agreements, they represent a widely sought-out mechanism for businesses to ensure data protection compliance when exporting data to third countries. Those businesses that rely on SCCs should now make plans to update their existing agreements to accommodate the recent changes.
SCCs for data transfers to third countries
Under Article 46, GDPR, in order to transfer personal data outside the EU/EEA, data exporters must first implement appropriate safeguards to ensure an adequate level of data protection. One way to achieve this is through standard contractual clauses adopted by the European Commission.
The Commission’s decision to review its SCCs was prompted by their becoming outdated due to the adoption of the GDPR, as well as in response to recent developments in EU case law. The main advantage of the new SCCs is their modular design. While the original SCCs issued in 2004 and 2010 only covered controller-to-controller and controller-to-processor transfers, the new version also offers modalities for C2C, C2P, P2P and P2C data exports – thus covering virtually the entire spectrum of data transfer relationships. In contrast to the former SCCs, which were structured as bilateral contracts, the Commission now expressly recognizes that SCCs may be concluded between multiple parties and that additional parties may accede to them by utilising an incorporated “docking clause”. This is particularly useful for complex deals and intra-group transfers. The SCCs may be relied on by EEA-based entities as well as by foreign entities subject to the GDPR.
The former SCCs will remain valid for the next three months, thus avoiding disruptions to ongoing DPA negotiations. In addition, the Commission has set a transition period of 18 months during which the former SCCs will still be recognised as appropriate safeguards for data transfers under Article 46, GDPR.
How to prepare?
To best align your data protection practice with the updated Article 46 SCCs, consider the following steps:
Develop a strategy: Different approaches can be taken and if large numbers of business partners are involved, it could be difficult to update all agreements at once.
Update DPA templates by 27 September 2021: Update your data processing agreement templates and technical and organisational measures to conform with the provisions of the new SCCs.
Renegotiate agreements by 27 December 2022: Incorporate the new SCCs into existing data processing agreements. This could be a laborious task and we advise starting by identifying the key agreements to address first. Prioritise contacting your data processors. In our experience, controllers can generally be expected to be more proactive in responding to such changes.
In addition, data exporters should be mindful not to overlook compliance with the Schrems II decision (more here). Although the updated SCCs reflect current CJEU rulings, signing SCCs is not in itself sufficient to ensure full data transfer compliance. In particular, data exporters must undertake data transfer impact assessments prior to transferring any personal data to a so-called non-adequate third country.
Together with data transfer SCCs, the Commission has also adopted standard clauses for data processing agreements, pursuant to Article 28 (3) and (4) of the GDPR. As most larger organisations already rely on their own templates for DPAs, such SCCs will likely be less significant for data protection practices going forward. Nonetheless, they may still be more convenient for organisations with lower administrative capacities and also assist in assessing the compliance of DPA templates with the Commission’s interpretation of the GDPR. Businesses may also want to devise a strategy for when a counterparty proposes to conclude the SCCs in DPA negotiations.
For more information please contact:
Zdeněk Kučera, Counsel, firstname.lastname@example.org
Lukáš Mrázik, Associate, email@example.com