Standard Contractual Clauses
As part of a due diligence process, potential buyers should seek to understand whether the target is up to date with the latest data transfer compliance requirements. Effectively, this means confirming whether the target updated its relevant contracts, so they rely on the new Standard Contractual Clauses (SCCs) for international data transfers.
Which data transfer clauses should be used depends on where the personal data is being transferred from (the UK or the EEA) and when the transfer was made. New data transfers – transfers from the EEA as of 27 September 2021 and from the UK as of 21 September 2022 – should not rely on the old SCCs. If the relevant contracts were in place before these dates, businesses can rely on the old SCCs until 27 September 2022 for transfers from the EEA and until 21 March 2024 for transfers from the UK, provided that there are no changes in the relevant processing operations.
Due Diligence
Potential buyers should explore which clauses the target business uses, where the personal data is exported from, and where potential gaps and risks may arise. Depending on where the personal data is being transferred from (the UK or the EEA) and when the transfer was made, you will need to explore what is being used within the target organisation and where potential gaps and issues may arise.
Transfer Risk Assessment / Transfer Impact Assessment
Businesses are also required to undertake a Transfer Risk Assessment (TRA) or Transfer Impact Assessment (TIA) for transfers of personal data to countries without an adequacy decision from the Information Commissioner's Office (ICO) or the European Commission (as applicable) confirming that to assess whether the laws of that country are deemed to offer sufficient protection to data subjects even if outside the reach of GDPR. If they don’t, and supplementary measures are not sufficient to give the necessary protection, the relevant data transfers should not be undertaken, even if SCCs are, or will be in place.
A practical approach to remediating old contracts
A typical organisation will have a substantial number of contracts involving international data transfers, and each may require a different approach to remediation. In an ideal world, any amendment to a contract would start with a conversation with the counterparty to discuss the need for the amendment and to agree an approach. This would result in a document that precisely identifies the relevant contract and the clauses that require amending. However, this may not be practical when a large number of contracts are involved, and parties are working under the time pressure of a completion deadline.
An effective alternative might be to present a counterparty with a standard form document which replaces all provisions in any relevant existing contracts relating to international data transfers (without specifically identifying the contracts or the relevant provisions). Of course, counterparties who routinely process customer personal data may have their own approach about how best to achieve compliance.
Start with a conversation
Before putting energy into crafting the ideal remediation document, ask the counterparty whether it has considered this issue and, if so, how it has approached this with other customers. Some counterparties, particularly those who routinely process large amounts of data, may have a standardised approach they would prefer to use across their customer base.
Explain the context
A covering letter or email explaining the context of what the business is trying to achieve with the amendment can accelerate the negotiation process. Consider that the counterparty may not even be aware of the changes in the law or the need to update the contracts, so receiving a draft contract out of the blue may come as a surprise. Aim to manage their expectations.
It is worth considering that counterparties who routinely process customer personal data may have their own approach about the best way to achieve compliance.
Focus your efforts
A business might take a different approach to remediation depending on the risk level of the contract. Relevant factors to take into account include how significant the counterparty is to business operations, how much personal data is being transferred and whether it is sensitive or special category personal data. Save the most bespoke and time-intensive remediation approach for the highest risk data processing arrangements and streamline the rest as much as possible.
Keep it simple
Keeping the amendments to the minimum required for compliance will help cut down negotiation time. Using the remediation exercise as an opportunity to overhaul the commercial arrangements or data processing provisions to anything more than is strictly necessary may invite protracted negotiations.
Deemed acceptance?
If under time pressure, it can be tempting to stipulate that if the counterparty has not responded by a particular deadline, they will be deemed to have accepted the ask. However, this is not a robust legal approach and if later challenged, is unlikely to hold up to scrutiny. While it may appear to be the most efficient approach to remediating a large volume of contracts, save this strategy for the lowest risk suppliers.
