The New Standard Contractual Clauses – What does it mean for your organisation?
What are the new Standard Contractual Clauses (SCCs)?
On the 4th of June 2021, the European Commission published the new Standard Contractual Clauses (SCCs). These SCCs outline the required safeguards within the meaning of Article 46(1) and Article 46(2)(c) GDPR. Interestingly, the new SCCs introduce a requirement to furnish a copy of the SCCs to the data subject where requested. This copy can be redacted to ensure the confidentiality of the agreement between the parties. Where the SCCs are incomprehensible following redaction, or if they are still too complex for the data subject to understand, a summary of the SCCs can instead be provided. This summary should include the SCCs and the associated Annexes in plain English and importantly, it must be a “meaningful summary”. Therefore, organisations must consider drafting a summary alongside their new SCCs to ensure that they can meet these demands where requested.
The new SCCs use a modular approach which allows organisations to adjust the SCCs to suit their engagement i.e., controller-to-processor transfers, controller-to-controller transfers, and so on. The available modules now include processor-to-processor and processor-to-controller engagements, which were previously unavailable under the SCCs. The new SCCs also allow for an optional docking clause. This clause allows new sub-processors to be added onto to the existing contractual relationship between the exporter and importer, without the need for an entirely new contract to be drawn up.
The new SCCs came into force on the 27th of June 2021. Organisations transferring data to third countries can continue to use the old SCCs to execute new contracts until 27 September 2021. From that date, the old SCCs are officially repealed and replaced by the new SCCs. There is then a grace period until the 27 December 2022, from which date all new and existing contracts must be amended to reflect the new SCCs.
Austrian lawyer and Data Privacy Activist - Maximilian Schrems
The question on everyone’s mind while awaiting the new SCCs was how it would deal with the Schrems II decision. Schrems II questioned whether the old SCCs were a reliable tool for data transfers. The main problem with the old SCC’s was that they were only effective where additional transfer impact assessments and supplementary measures were carried out. Consequently, the need for updated SCCs was imminent. Section III of the new SCCs entitled “local laws and obligations in case of access by public authorities” aims to address most of the Schrems II concerns.
The Commission, through the new SCCs, demonstrate that the appropriate balance to be struck on Schrems II is to introduce a risk-based approach towards local law assessments. Further, a transfer impact assessment (TIA) is now mandated for data transfers to third countries. The TIA determines whether the local laws of the data importer comply with the new SCCs and the GDPR, and whether any supplementary measures are needed to ensure data protection.
Local law assessments
The new SCCs provide a risk-based approach for assessing whether a third country’s laws and practices provide adequate protection for personal data. This is done via a TIA questionnaire, a template for which is now available on PrivacyEngine.
Already a PrivacyEngine Customer? Log in and use the Transfer Impact Assessment by clicking here.
Organisations must also consider the likelihood that the importing country’s public or government authorities will request access to the exported personal data. The new SCCs provide that the parties must warrant that they have “no reason to believe” that the data importer’s local laws will inhibit their ability to comply with its obligations under the SCCs.
The local law assessment considers the specific circumstances of the data transfer, the laws and practices of the destination third country, and the relevant contractual, technical and organisational safeguards which have been put in place. The assessment can include relevant and documented practical experience of the importer with prior access requests from public or government authorities, or the absence of such requests. Importantly, this assessment must be fully documented and available on request by the relevant supervisory authority.
Public and government authority access requests
In true Schrems II fashion, the new SCCs introduce an obligation on the data importer to notify the data exporter of any request, or access, by a public or government authority, unless prohibited to do so. Where the importer is prohibited from notifying the exporter, they must use every effort to have the prohibition waived. The importer must now also review the legality of any government access requests and challenge those which they believe to be unlawful.
Where the importer is legally bound to disclose data following a government access request, the importer must adhere to data minimisation principles and only disclose that information that is necessary to comply with its legal obligation. There are also transparency requirements imposed on the importer whereby they must provide regular reports about requests received. If following these reports, the importer believes it cannot comply with the SCCs any longer, and no mitigating measures can be taken to remedy that risk, the exporter can suspend and/or terminate the SCCs.
In a similar manner to the old SCCs, the new SCCs contain mandatory Annexes which must be completed and signed by the parties.
- The first annex requires the parties to describe the transfer in detail, much like the prior SCCs. However, the new SCCs additionally require importers to detail any onward transfers to sub-processors including the nature and duration of those transfers. The rationale here is that there is complete transparency between all parties regarding the entire data transferring and processing activities. As such, it is recommended that organisations prepare data mapping reports to get ready for the new SCCs.
- The second annex requires a description of the technical and organisational measures in place to safeguard the transfer of data. These must be specific and not generalised measures.
- The final annex describes the list of sub-processors engaged by the importer. This annex only requires populating where the importer requires specific authorisation to engage sub-processors as opposed to a general authorisation to engage sub-processors.
Transfers to the UK
Many organisations might be thinking about what the new SCCs mean for the UK due to Brexit. The new SCCs do not automatically apply under the UK GDPR. Instead, it is expected that the Information Commissioner’s Office will issue guidance on their own bespoke rendition of the new SCCs in the coming months. Another lingering question for EU organisations is whether they need to use the new SCCs for their data transfers to the UK. Fortunately, a welcome decision from the European Council was signed off on June 21, 2021, for a post-Brexit data adequacy deal. This deal now means that data transfers can continue between the EU and the UK without the need for the new SCCs.
What can your organisation do now? - timelines, summary
The main task for organisations now is implementing new paperwork and repapering old contracts containing the prior SCCs. Organisations need to start updating their third-party contracts for data transfers to third countries. They have 18 months to overhaul all contracts to reflect the new SCCs. This will be a major task for many organisations which transfer data to third countries and will require generous preparation in the coming months.
We have an updated template on PrivacyEngine which can be used to meet the requirements of the new SCCs. Alongside drafting their new SCCs, organisations need to prepare meaningful summaries to prepare for requests for such from data subjects. Organisations are equally advised to conduct data mapping exercises to fully understand the flow of data within their engagements. Organisations also need to now carry out TIAs on data transfers to third countries. We have another template for this available on PrivacyEngine.
For more information on how PrivacyEngine can help your organisation meet the requirements of the new Standard Contractual Clauses (SCC's), you can book a meeting with a member of the team by clicking below: