New set of Standard Contractual Clauses adopted by European Commission has been saved
New set of Standard Contractual Clauses adopted by European Commission
25 June 2021
Regulatory News Alert
Context: the new Standard Contractual Clauses
The Standard Contractual Clauses (SCCs) are sets of standardized contractual terms, conditions and obligations that aim to ensure the transfer of personal data leaving the EU/EEA complies with the EU’s data privacy laws and requirements.
On 4 June, the European Commission adopted a new set of SCCs to align them with the requirements of the General Data Protection Regulation (GDPR), market practices that have changed in the past 20 years, and the Court of Justice of the European Union’s (CJEU) “Schrems II” ruling.
Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II) was a ruling made on 16 July 2020 that invalidated the EU-US Privacy Shield thereby removing the basis for international data transfers between the EU and the US.
All entities that transfer personal data outside of the EU/EEA using the current SCCs will need to use the new SCCs within the next few months, requiring them to provide additional information and perform a risk assessment.
Key features of the new SCCs
- The new SCCs follow a “modular approach”— Four data transfer scenarios are now available as opposed to the “old” SCCs which could only be applied to data transfers between data controllers and data processors. The data transfer scenarios are the following:
a. Module 1: Controller-to-controller
b. Module 2: Controller-to-processor
c. Module 3: Processor-to-processor
d. Module 4: Processor-to-controller
This new modular approach is advantageous for various transfer scenarios, including the use of subcontractors and allows for flexibility depending on the type of a relationship between the contracting parties.
- The new SCCs stipulate that both parties to the SCC must perform a mandatory transfer impact assessment (TIA) in response to the Schrems II ruling. Both parties must warrant that the laws of the country into which the data is imported (particularly US law) are consistent with the SCCs and the GDPR. Additionally, a TIA will help the parties determine if additional safeguards are required based on the data importer’s country laws.
The TIA must be documented and provided to data protection supervisory authorities upon request.
- The new SCCs allow for multiple data exporting parties to form contracts, and for new parties to be added over time (the so-called “docking clause”) beyond the initial signatories. The prior SCCs were drafted as bipartite agreements, capturing the relationship between two parties at a static point in time, without the express means of adding additional parties over time. The new SCCs state that more than two parties can adhere to a single set of contractual clauses and allow for the addition of new parties over time.
You can access the new SCCs here.
Impact and next steps
The new SCCs come into effect on 27 June 2021.
The new SCCs allow parties to use the prior SCCs for “new” data transfers over a transition period of three months from 27 June 2021. After the transition period, only the new SCCs will apply.
Similarly, the prior SCCs can be used for existing data transfers for up to 18 months from 27 June 2021.
Therefore, concerned entities should do the following:
- Perform data mapping: identify which personal data flows and all relevant contracts (including those regarding employees, customers, suppliers and affiliates) are affected, and whether SCCs are necessary;
- Prepare SCCs that are suited to and pre-filled for your needs based on the four available modules;
- Prepare a template TIA for the specific use cases;
- Assess, using a TIA, whether the country’s laws into which you import data are consistent with the SCCs and the GDPR, and if any additional safeguards need to be implemented to heighten data protection as regards to data processing; and
- Constantly document and reevaluate your measures.
How can Deloitte help?
The new SCCs are much more specific than the prior SCCs. Entities will need to provide more detailed information concerning their international data transfers.
Deloitte can help with the following tasks:
- Analyze your data transfers and determine whether they fall into the scope of the new SCCs and need to be changed; and
- Analyze the current SCCs in place and recommend necessary changes:
a) Decide on the different modules to implement;
b) Provide a detailed description of the processing activities;
c) Analyze/assess the laws of the country importing the data; and
d) Determine if additional safeguards are required (e.g., encryptions, pseudonymization, organizational changes, etc.).
Deloitte’s Regulatory Watch Kaleidoscope service helps you stay ahead of the regulatory curve to better manage and plan upcoming regulations.
Subject matter specialists
Loïc Saint Ghislain
Regulatory Watch Kaleidoscope service