New standards improve your privacy compliance and lower your risks, but comes with a cost.
On the 4th of June, new standards on privacy contracts are published: The European Commission approved the new GDPR Standard Contractual Clauses (SCCs).
The SCCs provide templates for agreements to transfer personal data to countries outside the European Economic Area (EEA) that the European Commission identifies as providing an “inadequate” level of data protection. This includes countries like Australia, Brazil, China, India and the US.
SCCs are the most popular data transfer mechanism under EU data protection law.
Many organizations will be required to implement these SCCs with their customers, suppliers and affiliates by December 2022 to comply with the GDPR. This is perhaps the most significant GDPR development since the GDPR has become effective.
What is the benefit?
The new SCCs have several advantages for organizations. The most interesting ones we see are listed here.
The new SCCs have a modular approach and fit to different situations more easily, so you can pick the clauses which are appropriate for the specific situation. Four transfer scenarios are recognized:
- Controller-to-Controller transfers.
- Controller-to-(sub)Processor transfers.
- (sub)Processor-to-Processor transfers.
- (sub)Processor-to-Controller transfers.
The new SCCs also cover the different legislation which exist in the world and take these into account. Using the new SCCs may help you to overcome conflicting legislation, like the current EU -US situation (the “Schrems II-verdict”).
Helpfully, the new SCCs allow both non-EEA established Controllers and (sub)Processors to use the SCCs for onward transfers of personal data. As an EEA based Controller you can more easily cover the contracts with your non-EEA partners and the parties they contract to work for you. This makes it possible to share personal data across the globe in a more coherent way.
The new SCCs allow for multiple data exporting parties to form contracts, and for new parties to be added over time (the so-called “docking clause”) beyond the initial signatories. The prior SCCs were drafted as two-party agreements, capturing the relationship between two parties at a static point in time, without the express means of adding additional parties over time. The new SCCs state that more than two parties can adhere to a single set of contractual clauses and allow for the addition of new parties over time.
The SCCs reinforce the GDPR’s focus on (cyber)security. For example, Annex II requires that a detailed description of the technical and organizational measures implemented is set out for each of the modules. There are 17 suggested categories of requirements covering everything from pseudonymization and encryption to events logging, data quality and certifications. More guidelines which help you to take the right measures with your partners.
What is the impact?
The new SCCs also come with new obligations.
The new SCCs stipulate that all parties to the SCC must perform a mandatory transfer impact assessment (TIA). All parties must warrant that the laws of the country into which the data is imported are consistent with the SCCs and the GDPR. Additionally, a TIA will help the parties determine if additional safeguards are required based on the data importer’s country laws. The TIA must be documented and provided to data protection supervisory authorities upon request.
Data subjects may directly enforce many of the provisions of the SCCs. They should be informed of any request from government bodies to access the personal data. You also have to record these requests. Therefore, it is important to have your processes for data subject requests up to date.
How to implement?
All your current contracts and Data Processor Agreements with parties outside the EEA will be impacted. They need to be checked and adjusted to comply to the new SCCs. As before, the new clauses can be integrated into broader (commercial) agreements.
We recommend a project-based approach, with the following attention points included:
- Refresh your data map (and Record of Processing Activities) on transfers of personal data (including those involving employees, customers, suppliers and affiliates);
- Check legal implications with experts;
- Assess your Current Data Processing Agreements;
- Push addendum for existing partners;
- Upgrade your contractual for your major vendors when contract prolongation is at stake;
- Make an action plan, assign resources and monitor the progress;
- Improve your pre-contract due-diligence process to include the new SCCs.
Involve Business, project managers and SMEs. This in not only a legal process. You need to understand the changes and the new clauses (esp. the annexes) with each partner, not only sign them.
Be aware that you must use the standard contractual clauses as they are, without altering those clauses and including all of them. You are not allowed to vary or modify the clauses. You can however add clauses on business or commercial related issues where required as long as they do not contradict the clause.
Other parties can also present an SCC to you. It is important to check that that SCC is original and not modified. Modified SCCs can lead to non-compliance and disapproval by Authorities, once checked.
What about timing?
The Decision itself has become effective on the 27th of June. From this date onward, you can start using the SCCs. New agreements can use the old SCCs up to the 27th of September (although it is advisable to switch to the new SCCs as soon as possible, this is not yet legally required).
All agreements signed before the 27th of September are valid until the 27th of December 2022 (assuming they adequately protect the personal data involved and the processing operations do not change before that time).
This process will be a marathon not a sprint.
Vivenics has a proven track record working with GDPR compliance.
Please feel free to contact us to discuss the requirements and possibilities. You can reach us on +31 (0)88 8483 100 or gdprteam@vivenics.com. Your first consultation is free of charge.