New set of Standard Contractual Clauses adopted by European Commission

News

New set of Standard Contractual Clauses adopted by European Commission

25 June 2021

Regulatory News Alert

Context: the new Standard Contractual Clauses

The Standard Contractual Clauses (SCCs) are sets of standardized contractual terms, conditions and obligations that aim to ensure the transfer of personal data leaving the EU/EEA complies with the EU’s data privacy laws and requirements.

On 4 June, the European Commission adopted a new set of SCCs to align them with the requirements of the General Data Protection Regulation (GDPR), market practices that have changed in the past 20 years, and the Court of Justice of the European Union’s (CJEU) “Schrems II” ruling.

Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II) was a ruling made on 16 July 2020 that invalidated the EU-US Privacy Shield thereby removing the basis for international data transfers between the EU and the US.

All entities that transfer personal data outside of the EU/EEA using the current SCCs will need to use the new SCCs within the next few months, requiring them to provide additional information and perform a risk assessment.

PDF - 193kb

Key features of the new SCCs

  1. The new SCCs follow a “modular approach”— Four data transfer scenarios are now available as opposed to the “old” SCCs which could only be applied to data transfers between data controllers and data processors. The data transfer scenarios are the following:
         a. Module 1: Controller-to-controller
         b. Module 2: Controller-to-processor
         c. Module 3: Processor-to-processor
         d. Module 4: Processor-to-controller

    This new modular approach is advantageous for various transfer scenarios, including the use of subcontractors and allows for flexibility depending on the type of a relationship between the contracting parties.
  2. The new SCCs stipulate that both parties to the SCC must perform a mandatory transfer impact assessment (TIA) in response to the Schrems II ruling. Both parties must warrant that the laws of the country into which the data is imported (particularly US law) are consistent with the SCCs and the GDPR. Additionally, a TIA will help the parties determine if additional safeguards are required based on the data importer’s country laws.
    The TIA must be documented and provided to data protection supervisory authorities upon request.
  3. The new SCCs allow for multiple data exporting parties to form contracts, and for new parties to be added over time (the so-called “docking clause”) beyond the initial signatories. The prior SCCs were drafted as bipartite agreements, capturing the relationship between two parties at a static point in time, without the express means of adding additional parties over time. The new SCCs state that more than two parties can adhere to a single set of contractual clauses and allow for the addition of new parties over time.

You can access the new SCCs here.
 

Impact and next steps

The new SCCs come into effect on 27 June 2021.

The new SCCs allow parties to use the prior SCCs for “new” data transfers over a transition period of three months from 27 June 2021. After the transition period, only the new SCCs will apply.

Similarly, the prior SCCs can be used for existing data transfers for up to 18 months from 27 June 2021.

Therefore, concerned entities should do the following:

  1. Perform data mapping: identify which personal data flows and all relevant contracts (including those regarding employees, customers, suppliers and affiliates) are affected, and whether SCCs are necessary;
  2. Prepare SCCs that are suited to and pre-filled for your needs based on the four available modules;
  3. Prepare a template TIA for the specific use cases;
  4. Assess, using a TIA, whether the country’s laws into which you import data are consistent with the SCCs and the GDPR, and if any additional safeguards need to be implemented to heighten data protection as regards to data processing; and
  5. Constantly document and reevaluate your measures.
     

How can Deloitte help?

The new SCCs are much more specific than the prior SCCs. Entities will need to provide more detailed information concerning their international data transfers.

Deloitte can help with the following tasks:

  1. Analyze your data transfers and determine whether they fall into the scope of the new SCCs and need to be changed; and
  2. Analyze the current SCCs in place and recommend necessary changes:
    a) Decide on the different modules to implement;
    b) Provide a detailed description of the processing activities;
    c) Analyze/assess the laws of the country importing the data; and
    d) Determine if additional safeguards are required (e.g., encryptions, pseudonymization, organizational changes, etc.).

Deloitte’s Regulatory Watch Kaleidoscope service helps you stay ahead of the regulatory curve to better manage and plan upcoming regulations.

Contacts

Subject matter specialists

Irina Hedea
Partner – Information & Technology Risk
Tel: +352 45145 2944
ighedea@deloitte.lu

Georges Wantz
Managing Director – Advisory & Consulting
Tel: +352 45145 4363
gwantz@deloitte.lu

Loïc Saint Ghislain
Director – Advisory & Consulting
Tel: +352 45145 2595
lsaintghislain@deloitte.lu

Aleksandra Suwala
Manager – Advisory & Consulting
Tel: +352 45145 3718
asuwala@deloitte.lu


Regulatory Watch Kaleidoscope service

Simon Ramos
Partner – IM Advisory & Consulting
Leader
Tel: +352 45145 2702
siramos@deloitte.lu

Jean-Philippe Peters
Partner – Risk Advisory
Tel: +352 45145 2276
jppeters@deloitte.lu

Benoit Sauvage
Director – Risk Advisory
Tel: +352 45145 4220
bsauvage@deloitte.lu

Marijana Vuksic
Senior Manager – Risk Advisory
Tel: +352 45145 2311
mvuksic@deloitte.lu

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?