Co-authored by Rachael Reinis
On Friday, June 4, 2021, the European Commission published the highly anticipated new standard contractual clauses (SCCs). This is the first revision since 2010. SCCs have been the preferred mechanism governing personal data transfers for many organizations since the General Data Protection Regulation (GDPR) became enforceable in 2018, and even more organizations have since turned to SCCs following last summer’s invalidation of the Privacy Shield framework as a valid transfer mechanism.
As the privacy community took the weekend to digest the new clauses, here are a few of the insights:
First and foremost, there is a transition period
- The prior SCCs are expected to be formally repealed in three months (September 2021) at which point any new contracts must use the new clauses. All existing contracts need to be transitioned, but with a total timeline of 18 months, bringing the timeline to the end of 2022. Relying upon existing data processing agreements (DPAs) will not be sufficient for GDPR compliance.
There are new modules depending on the type of relationship between the two entities
- The new SCCs combine general clauses with a modular approach that addresses more data transfer scenarios than the prior SCCs. For U.S.-based companies supporting European customers, the most common modules will be numbers two and four, depending on whether the controller or the processor initiates the clauses. Additionally, there is an included docking clause to allow for increased flexibility where new parties may join the processing chain after the initial contract execution. Evaluation of the transfer relationship and implementing clauses with the appropriate modules will be necessary for GDPR compliance.
- As a result of the Schrems II decision, Clauses 14 and 15 have been added. They require the performance of a data transfer assessment and notification to the data exporter that a request from a public authority for access to the data has been received, respectively. Simply signing new DPAs by themselves will not be sufficient. To comply with GDPR they must be accompanied by a data transfer assessment.
17 possible technical and organizational measures in Annex II
- Information is added in both the clauses and Annex II regarding the technical and organizational measures that may be needed or are recommended in order to provide sufficient guarantees of data protection, which must be described in specific terms. Formal identification of appropriate safeguards is now a required element of a DPA and necessary for GDPR compliance.
Overall, these new SCCs bring positive developments. Yet to come are the European Data Protection Board’s (EDPB) updated guidelines around implementing these new SCCs and the supplementary safeguard measures.
What should organizations do now?
For any organization that has more than a handful of contracts to transition, consider approaching this from a project perspective. There is no need to rush, especially given the forthcoming EDPB guidelines.
As mentioned above, the new clauses are broken out into modules, so different modules will apply to different vendors. Focus on a few key questions:
- Is there documentation accounting for all current processing activities?
- Are all data transfers and their current transfer mechanism accounted for?
- Which organization in the processing chain currently owns the contract (i.e., controller, processor)?
In the near term, a refresh of your records of processing activities (RoPA) or other data map is a great starting point. Especially if the last comprehensive evaluation was at the onset of GDPR enforcement three years ago!
More information on SCCs can be found in the prior article, EU data transfers: transitioning to standard contractual clauses in 2021.