The European Commission has introduced new and improved Standard Contractual Clauses (SCCs). The updated concepts can be difficult to grasp, so this blog aims to clear up any confusion by explaining the differences between the old and the new. We break down the primary changes and why they were updated.

Organisations that use the European Union’s SCCs to govern transfers of personal data from the European Economic Area need to adopt the new SCCs for making a SCC-based transfer after September 27, 2021.

Any ‘old’ SCCs that were entered into prior to September 27 remain valid until December 27, 2022. However, past this date, organisations that rely on SCCs for transferring personal data must adopt the updated version.

The SCCs go hand in hand with the Schrems II ruling which promotes the use of transfer impact/risk assessments when transferring personal data. Under the new SCCs, Transfer Impact Assessments are now an express contractual requirement. Organisations should review and reassess their existing data transfers. Organisations should take the following steps to assess the risk associated with each transfer:

  • Identify your transfers
  • Identify transfer tools, e.g. an adequacy decision pursuant to Article 45 of the GDPR
  • Assess whether the chosen transfer tools are effective and don’t undermine the level of protection guaranteed by the GDPR
  • Adopt supplementary measures, e.g. technical, contractual, or organisational measures as additional safeguards to the transfer tool
  • Identify procedural steps you may have to take once effective supplementary measures have been identified for the chosen transfer tool.

Why new SCCs?

The SCCs were updated to allow for various types of transfers using a modular approach. In particular, the new SCCs now helpfully provide for processor-to-processor transfers. The clauses now include cross references to legislation to ensure alignment with the GDPR as well as reinforcing its requirements.

The updated version addresses the requirements of the Schrems II judgement, noting however that use of the new SCCs do not remove the need to assess the laws of the relevant Third Countries and to implement necessary supplementary safeguards. This point is made clear in both the Implementing Decision and the New SCCs themselves.

The European Commission published two sets of SCCs on June 4 this year. The first step for organisations is to choose the correct set.

  • The ‘First Set’ replaces the current set of standard contractual clauses for transfers of personal data outside the European Economic Area (EEA) which were approved by the Commission under the old Directive 95/46/EC (‘Old SCCs’). This set deals with international transfers of personal data
  • The ‘Second Set’ may be used for service provider data processing, regardless of whether a transfer outside the EEA is taking place. The Second Set is a standard data processing agreement, which covers the appointment of processors under Article 28 of the GDPR.

The modular approach: which to choose?

Under the ‘first set’, there are four modules available under the new SCCs.

  1. Controller-to-controller, e.g. intra-group transfers of personal data such as HR or marketing, unless there is a service agreement in place where the affiliate or group company acts as a processor
  2. Controller-to-processor, e.g. most common SaaS relationships
  3. Processor-to-processor, e.g. when processors engage with vendors
  4. Processor-to-controller, e.g. when the processor needs to transfer personal data back to a controller who is outside the EEA

Am I an importer or exporter?

After identifying the correct module of the SCCs that are relevant to your transfers you need to correctly identify if you are the party sending the data outside of the EEA (the exporter) or if you are the party outside of the EEA that will be importing the personal data. Note that some relationships may require multiple modules as it is common for organisations to transfer data for different purposes under both a controller-to-controller transfer and a controller-to-processor transfer.

The annexes:

Organisations should focus on completing the annexes and building processes within their organisation to support what they have committed to in these clauses.

  • Annex 1- Sets out the parties, a description of the transfer, and the competent supervisory authorities (for Modules One, Two and Three)
  • Annex 2- Should contain the technical and organisational security measures to ensure an appropriate level of protection for data being exporter and this annex should be completed by the data importer.
  • Annex 3 – Should contain the list of sub processors (For Modules Two and Three only)

It is important that organisations use the correct annexes that apply to the transfer.

What do you need to do?

For contracts already in place:

  • Conduct a transfer impact assessment and implement any supplemental measures identified
  • Assess all contracts in place that involve transfers and plan to migrate to the new SCCs by December 2023

For new contracts

  • Conduct a transfer impact assessment and implement any supplemental measures identified
  • Identify the correct module and role and prepare your annexes for the new contract.

Recommendations

To adhere to the new SCCs, organisations can avail of BH Consulting’s ready-to-use templates and processes to assist with this process including performing a transfer impact assessment. We also provide up-to-date policies for dealing with law enforcement requests via our Data Protection Advisory and Consultancy Services. BH Consulting also has training courses available specifically on the new SCCs.

Cliona Perrick is a data protection analyst with BH Consulting