On Friday, 4th of June 2021, the Commission has finally issued the long awaited new standard contractual clauses (SCCs) under the GDPR for data transfers from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA. These modernized SCCs will replace the sets of SCCs that were adopted under the previous Data Protection Directive and which companies used until now. The following article provides you with an overview of the main changes and what you could do now.
The old SCCs were issued based on the Data Protection Directive, preceding the GDPR and which was in many aspects not up to date anymore. It needed a make-over, also in light of the Schrems II decision, which unvalidated the Privacy Shield last year, on which thousands of companies were basing their data transfer to the US. The EC answers to the developments of the digital economy, dealing with widespread use of new and more complex processing operations involving multiple data importers and exporters. The new SCC are meant to reflect those realities better, by covering additional transfer scenarios and to enable a more flexible approach.
Some of the main differences
The new SCCs contain more provisions than the old ones. They provide a new legal certainty, after a long waiting period, however, they will request more effort than this has been previously the case with the use of the old SCCs. Some of the main changes consist in:
- Numerous new obligations for data exporters and data importers documented in a modular approach. In fact, the new SCCs are composed of one document, containing 4 different scenarios are described in the 4 Modules:
- Module 1: Controller to controller
- Module 2: Controller to processor
- Module 3: Processor to processor
- Module 4: Processor to controller
In those Modules, there are detailed clauses concerning the requirements such as purpose limitation, transparency, accuracy, storage limitation or security of processing.
- In the light of the Schrems II decision, one key clause of the new SCCs is the mandatory warrant, by which the Parties warrant that they have no reason to believe that the laws and practices in the country of destination of the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under the new SCCs. For that, parties must take into account elements such as the specific circumstances of the transfer (e.g., nature of data, purpose for processing), the laws and practices in the recipient country and any relevant contractual, technical or organizational safeguards put in place. This assessment must be documented by the parties and provided to the competent supervisory authority, if requested.
- In the contrary to the former SCCs, the technical and organizational measures ensuring data security shall be described specifically and not only generically, with particular consideration regarding Measures of pseudonymisation and encryption of personal data, processes for regularly testing, assessing and evaluating the effectiveness of the measures, measures for user identification and authorization or measures for ensuring events logging.
- Accountability: All involved Parties shall be able to demonstrate compliance with the new SCCs. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
How should you proceed?
The old SCCs in use until now will be repealed 3 months after the entry into force of the new SCCs. The latter will enter into force in 20 days following their publication in the Official Journal of the EU.
If you enter new contracts, it is recommended to use the new SCCs in the next 3 months. For an additional period of 15 months you can continue to rely on the old SCCs in existing contracts concluded before the date of the repeal of the old SCCs - provided that the contract’s subject matter remains the same and that reliance on the clauses ensures the transfer is subject to appropriate safeguards.
Note that so far for Switzerland, the Swiss Supervisory Authority, the Federal Data Protection and Information Commissioner (FDPIC), had recognized the old SCCs from the EC as justification for the data transfer from Switzerland to a third country. Many companies used the templates and adapted them according to the Swiss data transfer into a third country. The same could apply to the new SCCs, although for the moment, it needs to be awaited, if the FDPIC will approve the new SCCs. For the time being, the Authority has not positioned itself yet. We will monitor further developments.
How could you tackle the implementation?
- Consider a refresh of your third party inventory
- Perform an internal assessment about all contracts, to prioritize the order of amendment of your SCCs
- Prepare the SCCs according to the 4 modules and prepare the Assessment – consider the implementation of supplementary safeguards.
- Training on requirements of resources in order to raise awareness and understanding
- Also, monitor the EDPB recommendation to be finalized