Under the General Data Protection Regulation (“GDPR”), personal data cannot be transferred outside the EU/EEC area without specific legal safeguards, except for a few specific countries that have been deemed to have an adequate level of data protection, such as Canada and the UK. The most common legal safeguard for such transfers is the use of Standard Contractual Clauses (“SCCs”) approved by the EU Commission, i.e., template agreements usually added as annexes to crossborder contracts.
WHICH COMPANIES ARE AFFECTED?
Almost every company in the EU will be affected by this change. If the company uses any service provider or partner that has processing activities outside the EU/EEC, they likely will be affected by this change. For example, essentially all major hosting providers use distributed infrastructures that include processing activities outside the EU/EEC even if the actual servers on which the personal data is stored are located inside the EU.
In particular, this change will affect those companies that provide their own software products or services and have previously relied on old SCCs to transfer data to processors or controllers outside the EU/EEC. These companies will need to act by 27 September 2021, or they may be in breach of the GDPR. It is thus important to be aware that after 27 September 2021 no new contracts should be executed using the old SCCs.
WHAT HAS CHANGED?
The new regime on SCCs includes many of the same features as the previous SCCs, but there are also important differences, some of which are listed below:
- It is now possible (and indeed required) to have several different parties involved in one set of SCCs. For example, an online retailer might have a set of SCCs that include the following: a. the webshop owner (data controller), b. the provider of the webshop platform (processor), c. the hosting provider (processor), d. the payment provider (controller or processor), e. the shipping provider (processor) and f. a company doing data analytics relating to the webshop (processor).
- It is now easier for third parties such as data subjects to file compensation claims against any of the parties involved in the processing. Joint liability is possible in cases where more than one party is responsible for damage caused in processing personal data.
- Parties will now need to carry out and document a risk assessment for use of the SCCs, and to implement technical or organizational risk mitigation measures to ensure that the rights of data subjects are not compromised by the data transfer.
WHAT DO COMPANIES NEED TO DO NOW ?
Companies that transfer or process personal data outside the EU/EEC need to review their personal data practices and implement the new SCCs before 27 September 2021. As the old SCCs can no longer be used in new contracts after this date, it will be illegal to transfer the personal data of new customers outside the EU/EEC under a new contract unless the new SCCs have been implemented.
In addition, all use of the old SCCs must cease by 27 December 2022, so at the latest at this point companies will need to renegotiate their old contracts and will need to roll out the new SCCs for their old customers/partners.