Which version of the Standard Contractual Clauses for transfer of personal data from EU to third countries does your company use?
In the end of December 2022, it becomes mandatory for companies to start using the European Commission’s Standard Contractual Clauses for cross-border transfer to third countries. Mathilde Lecomte, one of Fondia’s experts within data protection, will in this article give you insights on the so-called SCCs, the deadline and what actions your company needs to take so that the transfer to third countries remain in compliance with the data protection rules.
Standard Contractual Clauses
As a brief introduction, the Standard Contractual Clauses (“SCC”) are amongst others a tool used for cross-border data transfer to third countries. Without such a tool, the transfer of personal data from the European Union to third countries is limited. The SCCs are therefore an important tool for businesses throughout the world.
On the 4th of June 2021, the European Commission adopted two new sets of standard contractual clauses, replacing the earlier sets of SCCs that had been issued under the 1995 Data Protection Directive. The first set was designed for the relationship between controllers and processors and the second set was conceived as a tool for data transfers to third countries. The modernised SCCs were drafted to comply with the General Data Protection Regulation (“GDPR”) and the European Commission’s decision was long awaited by stakeholders after the Schrems II judgement of the Court of Justice (in which the Privacy Shield, another transfer tool used for data transfer between the European Union and the United States, was invalidated and the Court concluded that the SCCs in themselves are not sufficient to make data transfer legal). We will focus on the SCCs that are a tool for data transfers to third countries.
Businesses have been granted a grace period before the use of the new SCCs becomes mandatory, but the deadline for implementation is fast approaching. Here are a few things your business needs to think of this autumn to remain in compliance with data protection rules on the 27th of December 2022, if you don’t want to spend Christmas at the office.
When is the BIG deadline and what do we need to do?
All contracts entered into after the 27th of September 2021 must incorporate the new SCCs. Contracts entered into before the 27th September 2021 that use the old SCCs must be updated to include or refer to the new SCCs by the 27th of December 2022 at the latest, to continue to benefit from the legal certainty offered by the SCCs. Should the contracts not be updated with the latest version of the SCCs, there is a risk that the transfer of personal data to third countries in question no longer complies with data protection rules.
Are there any advantages for our business?
SCCs are ready-made sets of clauses that have been pre-approved. They are not mandatory to use but can easily be implemented in a business agreement without having to negotiate with business partners. Given that they offer a high level of protection when personal data is transferred outside the EU/EEA, they can be used for international data transfers without the need to obtain prior approval from a data protection authority.
What’s new with these updates SCCs then?
One important aspect is that the new SCCs to be used for data transfers to third countries have a modular structure, which allows them to cover more scenarios than the old ones: controller-to-controller (module 1), controller-to-processor (module 2), processor-to-processor (module 3), processor-to-controller (module 4). This means that the parties must now select the module applicable to their situation, so as to tailor their obligations under the SCCs to their role and responsibilities in relation to the data processing at stake.
How can the SCCs be a tool for international data transfers?
The SCCs aim to provide appropriate safeguards in order to ensure that personal data transferred on their basis is awarded the same level of protection as in the EU. The SCCs provide stipulate amongst others that a transfer impact assessment should be carried out before any international data transfer takes place, documenting the laws of the country of destination and the additional safeguards that are in place. Given that the SCC’s are pre-approved standard sets of clauses, the content should not be altered other than to choose from the different modules and options. Making undue changes to the text would undermine the legal certainty conferred to the SCCs and they could no longer be used as a basis for international data transfer. Adding other clauses or additional safeguards is however accepted, provided that they do not contradict the SCCs.
Where can we find these SCCs?
The SCCs for international transfers are available here.
More about the new SCCs
The European Commission has issued Q&As related to the news SCCs. If you have additional questions regarding the SCCs or need help reviewing your business agreements in light of the new SCCs, we would be glad to assist you.