EU finally adopts new data transfer clauses

On 4 June 2021, the European Commission announced two new sets of standard contractual clauses: (i) for international transfers of personal data (new SCCs) (available here) and (ii) to be used by controllers and processors in the EU/EEA (available here) (see also official announcement).

The new SCCs replace the SCCs that were previously approved by the EU Commission (old SCCs). In particular, the EU Commission stresses that the new SCCs reflect the requirements of the GDPR (Regulation (EU) 2016/679) and take into account the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II) (see our previous Law Now for more information).

What does this mean in practice for international data transfers?

If your company transfers personal data to recipients based outside the EU/EEA, we recommend the following three steps:

• Step 1: Map out the data transfers that your company is currently involved in (both intra-group as well as with third party business partners) and assess which of these transfers need to be governed by SCCs. If your company currently uses the old SCCs for data transfers, then develop a roadmap for replacing these SSCs with the new SCCs (there is a transition period – see below).
   
• Step 2: Review the qualifications of the parties involved in the data transfers ((joint) controller, processor, sub-processor) and make sure you choose the right module for each data transfer. Indeed, unlike the old SCCs, the new SCCs are designed to deal with multiple types of cross-border transfer in the same data transfer agreement: controller-to-controller transfers (module 1); controller-to-processor transfers (module 2); processor-to-processor transfers (module 3; new!); and processor-to-controller transfers (module 4; new!). Indeed, in addition to the general clauses, controllers and processors will have to select the module that applies to their situation so as to tailor their obligations under the standard contractual clauses to their roles and responsibilities in relation to the data processing in question. The new SCCs also regulate the use of sub-processors where applicable.
   
• Step 3: Conduct a transfer impact assessment (TIA). Although the new SCCs contain provisions to address some of the concerns raised by the EU Court of Justice in its Schrems II decision, you will need to carry out a TIA even if you use the new SCCs. If the TIA reveals that the new SCCs in themselves are unlikely to effectively ensure an essentially equivalent level of protection, implement supplementary measures (e.g. anonymizing or pseudonymizing the data before it is transferred; minimizing the volume of personal data that is being transferred; limiting the period during which the transferred data may be retained in the third country; and encrypting the data before being transferred (and keeping the key separately in Europe)).

Is there a transition period?

Yes. As of publication in the Official Journal of the EU (on 27 June 2021), there is an 18-month transition period (until 27 December 2022) for updating your contractual relationships.

The specific schedule is as follows:

• The new SCCs can be incorporated into your new contracts from 27 June 2021.
• The old SCCs will be repealed with effect from 27 September 2021. During the three-month transition period (from now until 27 September 2021), you can enter into either the new or the old SCCs.
• New contracts concluded before 27 September 2021 with the old SCCs shall be deemed to provide appropriate safeguards until 27 December 2022, “provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards”. As the transition period ends in December 2022, you will have to implement the new SCCs before that deadline.
• The old SCCs can no longer be used after 27 December 2022.

How can we help?

The whole process of handling international data transfers and documentation will be challenging as concluding new SCCs alone will not be sufficient to comply with Schrems II requirements. We will of course be happy to help you with the implementation of the three steps (for instance, assisting you in mapping out the data transfers; advising you on the parties' qualifications; helping you conduct the TIA; and helping you draft the addenda to your company's existing data transfer agreements to integrate the new SCCs into those agreements).