New Standard Contractual Clauses for Data Transfers, Get the Low-Down

In November 2020, the European Commission published a draft set of Standard Contractual Clauses (SCC’s) for the lawful transfer of personal data from countries bound by the GDPR to third countries – ie, those outside of the EEA and not legally bound by the legislation. The new set of SCC’s replace those adopted under the Data Protection Directive 95/46, which the Data Protection Act 1998 is based upon.

The new sets of SCC’s include one for use between controllers and processors and one for the transfer of personal data to third countries. This means they are based on four scenarios: controller to controller, controller to processor, processor to processor and processor to controller. These new SCC’s are also usable if multiple legal entities of a controller or processor need to be part of the contract.

What Are the Purpose of SCC’s?

According to the GDPR, when personal data is transferred to a country out of scope of the legislation (ie, outside of the EEA) or to where there is no adequacy decision in place, by inserting these SCC’s into data sharing agreements, they ensure the exporter and importer of the data meet the basic requirements of the EU GDPR and that the necessary “appropriate safeguards” are in place.

SCC’s cannot be used in every instance – one of the major changes from the old versions is that the new set can only be used where the recipient (the data importer) is not subject to the GDPR by default. Any onward transfer by the data importer to a sub-processor would need to be covered by SCC’s, however. If you need clarity on your processing scenarios, please contact us and we will advise of your obligations.

What is Adequacy and Does it Make a Difference?

If the recipient of the data (the importer) is outside of the EEA, but has been granted adequacy by the European Commission, or the UK ICO, the SCC’s are not required. An adequacy decision is made by the Supervisory Authority (ie, the ICO) where they deem a non-EEA country provides “adequate” protection for individuals rights and freedoms for their personal data.

As of June 2021, the following countries have been granted an adequacy decision by the European Commission and ICO – Andorra, Argentina, Canada (commercial only), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Uruguay, Switzerland, and Japan. You may notice the absence of the United States! If your business transfers personal data to the US, then you will need to include SCC’s in your data sharing agreements. The US has a surveillance culture and government agencies have ready access to any personal data in the country – an approach that goes against the grain of the GDPR.

How Do SCC’s Affect Transfers from the UK?

Following Brexit, the UK has been granted a temporary (conditional) adequacy decision for transfers into the EU/EEA – a final decision is due to be made by the end of June 2021. If the UK is awarded adequacy, then SCC’s will not be required to facilitate the transfer of data to the EU/EEA. However, SCC’s will be required for transfers from the UK to places like the US.

If the UK is not awarded adequacy by the European Commission, or this adequacy decision is revoked in the future, then SCC’s will be required for transfers to the EU/EEA.

Will my Business Need to Implement These SCC’s?

Below are examples of instances where businesses will need to use these new SCC’s. If your business falls into any of these categories, then contact us and our specialist teams will advise, as you may need to implement several types of SCC’s, depending on the complexity of your processing activities.

• If you are a large business or have operations in both the UK / Europe and in non-European territories, you will need to implement them to permit intra-group transfers.

• If you are a UK or European business with non-European suppliers (in whatever form) then you will be required to implement them for the transfer to be lawful. In this instance, you should have evidence of conducting appropriate due diligence on your suppliers ahead of engaging.

• If you are a US-based company and have European corporate customers, then they will be required.

• If your business comes under several of these instances (your internal business operations and you have non-EU suppliers, then you’ll need to implement different SCC’s for each processing activity.

Do I Have to Act Now?

Yes.

These SCC’s come into force almost immediately – and based on the amount of time it takes to complete contractual reviews – and if your company has a large number of contracts, then it will take some time.

The European Commission has advised:

• Where the data transfers are new (ie, a new processing activity), or your data sharing agreements do not currently have SCC’s in place (but should), you have 3 months and 20 days - roughly late September 2021 - to implement. Beyond this point, your transfer is unlawful.

• Where you have the old SCC’s in place, you have 18 months and 20 days to implement the new ones (roughly late December 2022). Beyond this point, your transfer is unlawful.

If you think your business needs to implement SCC’s, but need guidance on exactly where within the business, our specialist consultants can conduct a data flow analysis to identify exactly where your obligations lie – contact us now to discuss.