Deadline to update Standard Contractual Clauses for personal data transfers
As of 27 December 2022, the standard contractual clauses (“SCCs”) used to regulate personal data transfers to entities established in third countries (non-EEA) must reflect the latest version that was published by the European Commission on 4 June 2021.
Failure to meet this obligation would mean that the international data transfer would not be covered by a valid safeguard and thus render the transfer in breach of the GDPR.
This does not apply to personal data transfers to entities established within non-EEA countries that are the subject of an adequacy decision (including the United Kingdom).
What constitutes a personal data transfer under the GDPR?
The European Data Protection Board has identified three cumulative criteria for an international data transfer to take place:
- The controller or processor that is exporting the personal data must be established in the EEA, or otherwise subject to the GDPR.
- There must be a transfer (which includes sharing and access provision) of personal data from an ‘exporter’ to an ‘importer’
- The importer must be located in a country outside the EEA, regardless of whether the importer is itself subject to the GDPR.
For example, an international data transfer would include allowing personnel of a company established in a third country (the data importer) to access remotely personal data stored by the data exporter in the EU/EEA.
What are SCCs?
SCCs are the most widely used tool for regulating personal data transfers to third countries in accordance with the GDPR. They are model clauses which have been published by the European Commission and their main advantage is that they are a pre-approved mechanism for allowing data exporters to transfer personal data outside of the EU/EEA whilst ensuring appropriate data protection safeguards.
Data transfers to entities established within non-EEA countries that are the subject of an adequacy decision (including the United Kingdom), do not need to be regulated through SCCs.
What is new?
The SCCs published by the EU Commission on 4 June 2021 (and which have replaced the earlier sets of SCCs that had been adopted under the Data Protection Directive 95/46) offer a more flexible structure and provide for a wider number of scenarios than their previous iteration. This modernised set now contains four modules which provide for four cross-border transfer scenarios, all codified into a single document. The modules within the SCCs are:
- Data transfers from controller to controller (C2C)
- Data transfers from controller to processor (C2P)
- Data transfers from processor to processor (P2P)
- Data transfers from processor to controller (P2C)
What do you need to do?
Prior to exporting personal data to an entity established in a country outside the EEA that is not the subject of an adequacy decision, you should first start by conducting a Data Transfer Impact Assessment (DTIA) to ensure that there is nothing in the law of the third country that will not allow the data importer to comply with the GDPR. The outcome of this assessment should be used to determine whether you can proceed with the transfer and should be documented.
Subject to the DTIA not yielding negative results, you would then need to enter into (or replace) the SCCs. To do so, you need to start by identifying your role (i.e. whether you act as a controller or processor of data) and that of the data importer. Consequently, you will identify which of the four modules of the SCCs apply and choose the module that corresponds to your situation.
You would then need to obtain the data importer’s agreement to enter into the SCCs and execute the correct form.