One of the available safeguard measures to facilitate the flow of personal data outside of the EEA is for relevant entities to implement EU Commission-approved standard clauses into their contractual documentation. These clauses apply contractual data protection standards between the parties (e.g. a controller and processor), and are designed to apply contractually applicable data protection standards. However, until now, the standard clauses approved by the EU Commission for use were largely based on the pre-GDPR landscape and have been overdue for an update.
The new EU Standard Contractual Clauses (SCCs) were published by the European Commission in a final working document form on 4 June 2021. They entered into force on 27 June 2021, 20 days after the publication in the Official Journal of the European Union on 7 June 2021.
The new SCCs repeal the previous SCCs, but: (i) there is (the remainder of) a three month “grace” period (until 27 September 2021), where the old SCCs can still be used. For any contracts concluded after 27 September 2021, the new SCCs will need to be used; and (ii) a separate transition period also exists (ending on 27 September 2022), and contractual parties can continue to rely on the old SCCs in contracts concluded before 27 September 2021 until that date.
The UK government is also introducing new SCCs for transfers of personal data from the UK to third countries, although at present parties to such transfers can continue to use the old standard contractual clauses approved by the EU Commission. Please read our article regarding the UK SCC’s here.
Implementation of the new SCCs
What type of transfer?
Companies will need to review their current data transfers which use SCCs and ensure they evaluate the relationship between the parties. There are four potential data processing relationships contemplated by the new SCCs, which is an attempt to address one of the key issues with the previous clauses – that the clauses did not naturally fit with the breadth of different types of data transfer that can arise.
- Controller to controller
- Controller to processor
- Processor to sub-processor
- Processor to controller
The data processing relationship determines which SCCs are used: the SCCs apply a set of general clauses to all data transfers, which are supplemented by additional, modular clauses specific to the relevant data processing relationship.
There is also a new requirement for a transfer risk assessment to be carried out, which the EU supervisory authority can request to see. This appears to be an attempt to manifest the Schrems II decision (our case summary can be found here. Such risk assessment must contain information relating to:
- Circumstances, such as what data are the parties transferring and why?
- Relevant laws of destination country, especially in relation to government access and surveillance
- Safeguards, that have been implemented in addition to SCCs e.g. encryption
Public authority access requests
The SCCs have also introduced a new requirement for the data exporter to notify the data importer when they have received a binding access request from a public authority, unless prohibited from doing so. The data importer then must review such relevant requests and challenge them where they consider there are grounds to do so.
This article is designed to give a brief overview of the new EU Standard Contractual Clauses. Please do feel free to contact us if you have any queries in relation to this article or data protection matters more generally.