New Standard Contractual Clauses – how to implement and automate personal data transfer operations
As of June 27, 2021, new Standard Contractual Clauses (SCC) apply in the European Union, which have been aligned with the requirements of the GDPR and allow the legal transfer of personal data outside the EEA, both within groups and between suppliers and customers.
The new clauses replaced the existing ones, which were widely used long before the entry into force of GDPR and about which many criticisms were raised. The new clauses take into account the CJEU judgment in the Schrems II case, in which the Court indicated that data exporters, in addition to entering into standard contractual clauses, have also to assess whether the country to which the data is exported provides an adequate level of protection, and apply additional safeguards for transfers to the countries that do not provide required protection.
Companies are required to use the new SCC as from September 27, 2021, and have to amend and replace their existing clauses with the new ones by December 27, 2022.
Implementation of the new Standard Contractual Clauses
The new Standard Contractual Clauses are divided into general clause and four modules that apply depending on the type of data flow:
- Module one: data transfers from an EEA controller to a third country controller;
- Module two: data transfers from an EEA controller to a third country processor;
- Module three: data transfers from an EEA processor to a third country processor;
- Module four: data transfers from an EEA processor to a third country controller.
The Modules provide much more flexibility than previous approaches, which did not consider many nuances of data transfers in modern business. For example, the new SCC recognise that the data exporter may be based outside the EU and facilitate transfers between EU processors and non-European sub-processors.
Additionally, implementation of the new Standard Contractual Clauses in relations with processors will eliminate the necessity of concluding a separate data processing agreements, consistent with the requirements indicated in Article 28 of the GDPR. Applying the new clauses will also ease entering into multilateral (often intergroup) data transfer agreements.
New obligations of the parties
Both the data exporter and the data importer need to ensure that they have carried out an assessment of the local laws of the country to which the personal data will be transferred. It is also required that they should have no reason to believe that the laws and practices of such jurisdiction may prevent the data importer from fulfilling its obligations under the SCC (including any appropriate safeguards put in place to supplement those indicated in the new clauses).
When assessing the risk, the parties should take into account relevant and documented practical experience from previous cases, i.e. whether in the past public authorities requested disclosing of data or not. In addition, the recipient of the data is required to notify the exporter of generally all requests by a public authority for granting access to the data. It also have to verify the lawfulness of such requests, challenge unlawful requests and provide only the minimum information necessary to comply with any legal obligation, to which it is subject. In addition, it is required to report regularly the requests received and to inform the data exporter if it is unable to comply with the new Standard Contractual Clauses ( in such a case, the data exporter will be entitled to suspend or terminate the SCC).
The parties are required to document the risk assessment process and make it available to the supervisory authority upon request.
The technical and organisational measures adopted to safeguard the transfer of personal data should be described in detail (rather than, as until now, in general terms) in Annex II to the SCC. Furthermore, Annex II should clearly indicate which measures apply to each type of data transfer.
Entities transferring personal data outside the EEA are required to update the relevant agreements no later than to December 27, 2022. We propose taking the following steps:
- identifying of contracts/instruments under which data is currently transferred outside the EEA;
- identifying of contracts with Standard Contractual Clauses included;
- determining whether transfers made under the previous version of Standard Contractual Clauses continue after December 27, 2022;
- if yes, verifying the roles of the parties to the contract (controller, processor, sub-processor) and mapping the data flow and countries to which the data is transferred;
- preparing a risk analysis template assessing the level of protection of personal data in the importer’s country and the necessity of implementing additional safeguards;
- preparing a list of additional safeguards as well as organizational and technical measures required to be implemented for a given type of transfer;
- establishing the format and channel for reporting a request for disclosure of personal data by public authorities of the data importer country and agreeing on the next steps in the event of a request for data by public authorities;
- sending a questionnaire to data recipients to verify their compliance with the above requirements – this also applies to the new entities;
- sending a proposal for the new relevant Standard Contractual Clauses together with an appropriate set of organisational and technical measures;
- concluding the new Standard Contractual Clauses and placing them in the repository;
- ensuring a mechanism for periodic reviews of the concluded SCCs.
How we can help?
JT Weston offers a copyrighted NEULA platform (BPMS class software for mapping, optimization and automation of business processes). It significantly improves and simplifies the process of implementation and management of data transfers based on the New Standard Contractual Clauses in organizations. Below is a sample description of the process that will allow you to implement the new SCC within the legally required timeframes.
Material prepared by JT Weston Legal. It is not legal advice. If you have any questions, please contact Magdalena Bartosik (firstname.lastname@example.org).
 C-311/18 Data Protection Commissioner vs. Facebook Ireland Ltd., Maximilian Schrems.