Replacement Standard Contractual Clauses Adopted for Personal Data Transfers

The European Commission (‘EC’) has announced its adoption of a new version of Standard Contractual Clauses (‘SCCs’) for use between entities transferring personal data to countries outside of the EEA, known as ‘third countries’.

SCCs are required where companies are transferring personal data from within the EEA to another company located in a third country where no adequacy decision has been granted in favour of that country. SCCs act as an additional safeguard to ensure personal data is protected where it is accessed in countries with ‘inadequate’ data protection laws, including for example, the US and India. They are a set of model clauses that must be adopted in their entirety setting out various obligations for the data importer and exporter.

The EC has stated that the new SCCs must be used in place of the existing versions within 18 months of coming into force where companies are already using the old versions. For first time use, the old versions will cease to be valid within 3 months of the new SCCs coming into force. It is likely they will enter into force within the next month.

Unlike with the old SCCs, there will now only be one version and they are intended to be more flexible and better aligned to the principles of the General Data Protection Regulation (‘GDPR’). The clauses cover processor-controller and processor-processor relationships, rather than just controller-controller and controller-processor interactions, and they can be entered into by more than just two parties. Contracting organisations may also include additional clauses if they wish, provided they do not contradict with the wording of the SCCs themselves.

In relation to the previous risk of the SCCs conflicting with the local laws of the third country, the new version requires the parties to warrant that they have no reason to believe the laws and practices in the country of data import will prevent the data importer from complying with the SCCs. To ensure this is indeed the case, the parties must carry out a Data Protection Impact Assessment (‘DPIA’), documenting the assessment of local laws and potential risks involved with the transfer. In the event the data exporter suspects that the importer can no longer comply with the SCCs, data transfers must stop (or not begin).

The new SCCs will continue to be required as between affiliated companies and subsidiaries where one is based in the EU and another is in a third country – they are not just for separate organisations.

What does this mean for the UK?
As the UK is no longer part of the EU, the new SCCs will not apply in the UK and instead the existing versions will continue to be effective. However, the Information Commissioner’s Officer, the UK data protection supervisory body, is currently in the process of working on its own set of clauses to bring out in the near future. Be aware that completion of a DPIA is recommended before entering into SCCs in the UK too.

It is also worth noting that the UK has not yet been granted an adequacy decision by the EC. There is presently a bridging period in place until the end of June 2021, alleviating the need for additional measures to be implemented for the time being, and it looks likely that a favourable decision will be granted. In the event that it is not however, EU companies transferring personal data to the UK will have to enter into these new SCCs with the recipient UK entity. The UK has granted adequacy to all countries of the EEA, so SCCs are not required in respect of data flows in that direction.

What do you need to do now?
Where your organisation currently transfers personal data from the EU to a third country, you will need to assess the data flows involved and the associated risks and, if safe to do so, prepare to implement the new SCCs in respect of such transfers, in place of the old versions. The same goes for organisations planning to share data with other companies in third countries going forwards.

Please note that the EU-US Privacy Shield was invalidated at the end of 2020 so SCCs now have to be implemented for any EU or UK data transfers to the US too.

If you have any questions in relation to the above or would like assistance in implementing the SCCs for your business, please get in touch.

Madeleine Rhodes