The European Commission decided on new Standard Contractual Clauses (SCCs) in June 2021. After 27 December 2022, only these “new” SCCs may be used without exception.
What does that mean for companies and organizations?
If personal data is transferred to processors (or their sub-processors) or to controllers in a country outside the EU or the EEA (European Economic Area), for which there is no adequacy decision by the European Commission (decision pursuant to Art. 45 (2) GDPR), one means to achieve an adequate level of data protection is to conclude SCCs and, if necessary, implement additional measures to safeguard the data.
After the European Court of Justice declared the EU-US Privacy Shield invalid in its ruling of 16.07.2020 C-311/18 (“Schrems II”), the European Commission undertook a revision of the “old” SCCs (2010/87/EU) and published a new version and various modules of Standard Data Protection Clauses (EU 2021/914) on 04.06.2021 (available here). In accordance with the Implementing Decision, the use of the new Standard Data Protection Clauses (EU 2021/914) is mandatory for the conclusion of new contracts since 27.09.2021. However, the “old” SCCs will remain valid until 27.12.2022.
In practice, this means: After 27 December 2022, transfers of personal data to unsafe countries outside the EU or the EEA may no longer be based on the “old” SCCs. If transfers continue to be carried out on the basis of the “old” SCCs after the expiry of this period, there is a significant risk of non-compliance, with the possible imposition of fines by supervisory authorities.
Transfer Impact Assessment
As part of the conclusion of the new Standard Data Protection Clauses, the data exporter and the data importer must also undertake a so-called Data Transfer Impact Assessment (TIA) as defined in clauses 14 and 15 of the Standard Data Protection Clauses. It is essentially a requirement to ensure an adequate level of data protection in accordance with Chapter V of the GDPR, which is why it is necessary to check, for example, whether there are adequate procedural principles in place in the third country that regulate access to the data by authorities.
More information on this topic can also be found in our German blog article from 29.06.2021. If the wording in this blog article – Standard Contractual Clauses and Standard Data Protection Clauses – has confused you, then our German blog article from 06.07.2021 provides the appropriate explanation.
What steps do companies and organizations need to take now?
- It must be determined whether or which data transfers to third countries without an adequacy decision (unsafe countries) are taking place.
- It must be clarified which constellations of data transfers exist and which modules of the new EU Standard Data Protection Clauses must therefore be concluded.
- Service providers or other contractual or business partners must be contacted and the conclusion of the new EU Standard Data Protection Clauses between data exporter and data importer must be requested.
- The content and performance of the Data Transfer Impact Assessment has to be agreed on between the data exporter and the data importer.
- The outcome of the TIA must be documented and the intervals at which further assessments are to take place should be established.