Companies relying on the SCCs as a data transfer tool have less than a month to update their existing contracts (if they haven’t done so already).
The EU General Data Protection Regulation (GDPR) allows companies that want to transfer personal data protected by the GDPR to third countries outside the EU/EEA to do so using contractual clauses that ensure appropriate data protection safeguards. The most frequently-used clauses are the so-called Standard Contractual Clauses (SCCs), which have been pre-approved by the European Commission.
In an attempt to address the concerns raised by the Court of Justice of the EU in the Schrems II case, the European Commission issued a new set of “modernized” SCCs on June 4th, 2021. The modernized SCCs can be used as a grounds for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).
Prior to the modernized SCCs, companies were able to use three sets of SCCs that were adopted under Data Protection Directive 95/46/EC (i.e., the GDPR’s predecessor): two different sets for controller-to-controller transfers, and one set for controller-to-processor transfers. The modernized SCCs replace these three sets of SCCs – and following September 27th, 2021, it is no longer possible to conclude contracts incorporating the earlier sets of SCCs.
Contracts concluded before September 27th, 2021 on the basis of the previous SCCs are deemed to provide appropriate safeguards within the meaning of the GDPR until December 27th, 2022 – provided that the data processing operations that are the subject matter of the contract remain unchanged.
From December 28th, 2022 onwards, it will no longer be possible to rely on the previous SCCs to lawfully transfer personal data to controllers or processors in third countries.
WHAT ACTION TO CONSIDER?
Companies that are:
a) controllers or processors of personal data processed subject to the EU GDPR;
b) currently transferring personal data to other controllers or processors in third countries; and
c) using the SCCs as a data transfer tool;
should make sure that they (and their contract partners):
a) are relying on the modernized SCCs (as opposed to the previous versions);
b) have properly entered into the modernized SCCs; and
c) have duly completed the annexes to the modernized SCCs.
All of this should be done by December 27th, 2022.
They should also ensure that the transfer impact assessments that are required under Clause 14 of the modernized SCCs have been performed and documented.
In addition, controllers may want to update their privacy policies to include references to the modernized SCCs as their data transfer tool going forward.