The new standard contract clauses (SCCs) governing the transfer of personal data to a third country outside the EU are now in force. The first deadline, requiring companies to put the new SCCs into force for new transfer agreements, is today, 27th September 2021.
While there’s plenty of information out there explaining the finer details of the legal points, there’s a dearth of information regarding the practical implications for firms. What do you need to do to make sure your firm remains compliant with the GDPR in light of the changes to the SCCs?
Want to know more?
Read our whitepaper which provides a detailed guide on the new Standard Contractual Clauses and how organizations can achieve compliance.
A brief history of Standard Contractual Clauses (SCCs)
The need for SCCs arises due to Chapter V of the EU GDPR, which puts specific obligations on data controllers and processors who transfer data to a third country outside of the EU.
SCCs are generally used when there has been no decision on adequacy regarding the data protection regulations in the third country in question. The SCCs ensure an appropriate legal safeguarding mechanism is in place to allow EU standards of data protection to travel with the data.
SCCs predate the GDPR, having been introduced under the old Data Protection Directive. However, when the GDPR came into force in 2018, it didn’t update any SCCs in line with the new regulation, simply allowing organizations to apply the old SCCs.
The impact of the Schrems II ruling on SCCs
Now, thanks mainly to the landmark Schrems II ruling, the EU has taken action to update the old SCCs in line with the GDPR. The Schrems II ruling overturns the adequacy decision regarding the transfer of data to the US, meaning firms are now obliged to put the new SCCs in place for any transfers of personal data to the US.
The net result is that firms have another significant project on their hands, the biggest in data protection since the GDPR itself came into force.
In today’s business environment, data from customers and prospective customers, suppliers, contractors, employees, and even website visitors can flow through any of the hundreds of applications used by companies.
Data controllers are responsible for ensuring that the new SCCs are in place for all data traveling to third countries without an adequacy agreement in place, and the last deadline for compliance is in December 2022.
Firms need a robust plan – no shortcuts
One of the most critical elements to understand about the new SCCs is that they impose a warranty on all parties involved in the data transfer.
Parties must declare that they have no reason to believe that the laws and practices of the third country would prevent them from fulfilling the terms of the SCC. That is to say they must ensure that the data is protected to the same degree as it would be in the EU. The basis of this warranty is a Transfer Impact Assessment (TIA) that must be conducted for each data transfer.
So given the obligations, it’s evident that transitioning cannot be approached as a mere tick-box exercise. Firms need to have a robust plan to ensure that they can stay ahead of the changes, which will require a systematic implementation involving three critical steps.
Three steps to implementing the new Standard Contractual Clauses (SCCs)
1. Data Mapping
The scope of the new SCCs covers all personal data being transferred to a third country for which no adequacy agreement is in place, which includes the US. Therefore, along with where the data is being transferred, the company needs to consider:
- Which data is being transferred – personal data may include the obvious, such as names or addresses, but it could also include IP addresses or browsing history
- For whom is the organization transferring data – customers, employees, website visitors, etc.
- How data is held or processed – personal data may not only be held as text files – images, audio files, or paper documents are all covered
- Who, or which entities, are responsible for controlling and processing the data in each jurisdiction? Even internal transfers are covered within the same company, as well as data transferred to third parties. For example, XY Widgets has a factory in Dublin but is headquartered in Wisconsin, then all the personal data covering the Dublin site that travels to Wisconsin is in the scope of the new SCCs.
Ultimately, organizations need to ensure that they have a full data map that identifies exactly where data is being transferred across international borders, and to/from which counterparties. You’ll also need copies of any existing contractual arrangements governing the transfer of data.
This data map will form the basis of the next stage, conducting Transfer Impact Assessments.
2. Transfer Impact Assessments (TIAs)
As we covered earlier, the Transfer Impact Assessment (TIA) forms the basis of the warranty between parties. The TIA must be available for inspection by supervisory authorities within the EU country where the data originates, if required.
It must consider the circumstances of the transfer such as the purpose of the processing, the actors involved, the type of data covered, and more, in light of the laws and regulations of the country in question. Therefore, it also needs to be updated when any relevant legislative change takes effect.
Organizations will need to prepare a template assessment document covering all of the various considerations regarding the data and assessing the third country laws for their adequacy under the SCCs.
Repapering will involve two parts. Firstly, all new arrangements for transferring data will have to be concluded using the new SCCs.
As mentioned above, the EU deadline for this step is today (27 September 2021). Therefore, the most immediate priority is to ensure that there are new procedures and template documentation in place for any new transfer arrangements concluded.
The next step will involve issuing the new SCCs to all existing transfer arrangements. While this sounds straightforward, it’s worth noting that the new SCCs cannot be modified, and they take precedence over any other contractual provisions. Therefore, it’s necessary to review any existing agreements for data processing to ensure there are no conflicts with the new SCCs.
The new SCCs are modular, with four clauses covering the transfer of data between processors and controllers. As such, the organization will also need to determine the nature of each transfer to apply the appropriate modules to the transfer.
The deadline for phasing out the old SCCS entirely and replacing all agreements with new SCCs is 27 December 2022.
Make sure you consider all options
It’s evident that firms have their work cut out to make sure they’re compliant with the new SCCs. The process outlined above may appear arduous, but it’s possible to automate many of the steps involved, or outsource parts of the exercise altogether.
For instance, data mapping becomes easier with scanning software that detects the movement of particular data types across systems. Contract review software can quickly pinpoint relevant clauses without needing someone to sift through piles of paperwork.
There are a range of options here. Alternative legal solution providers (ALSPs) are gearing up to support firms with these changes, so consider assessing different solutions to compliance before launching into a manual project.
Deadline day (one of two)
As mentioned at the start of this article today is deadline day, but it’s only the first of two.
Today is the day by which new arrangements must use the new SCCs. But the work is far from over, and the projects really will only just be getting going in earnest.
The next key deadline is 27 December 2022, as contracts that incorporate prior SCCs will remain valid until this date, after which time the new SCCs must be entered into in replacement of the prior SCCs.
Read our whitepaper for a practical guide on how to bring your organization into compliance
Johnson Hana has put together a detailed guide on how compliance with the new SCCs can be achieved.
This includes step by step guidance on how to build a data map, how to carry out transfer impact assessments, recommendations on how to conduct the repapering exercises, and explores what to do next.
You can download the whitepaper here: Replacement Standard Contractual Clauses (SCCs): A Practical Guide
About Johnson Hana
Johnson Hana is Ireland’s leading alternative legal solutions provider. That means we disaggregate legal advisory and legal process work, and focus on the latter.
Legal Process Outsourcing – whereby a specific legal process is carved out and outsourced to us (Data Subject Access Requests, complaints, discovery, etc.)
On-Demand Lawyers – to fulfil a temporary requirement for a qualified lawyer in a specialist area.
Historically, legal advisory and legal process work were tackled and billed in the same way. This means that all legal work has been as costly and time consuming as legal advice. It doesn’t need to be.
We deliver legal process work through a combination of innovative legal technologies, robust project management methodologies, and expert lawyers.
This approach reduces client legal spend by over 50%, while also providing totally transparent reporting and billing. This leaves our clients free to focus on the strategic, advisory work that really adds value.