New SCC’s arrive but the old remain, for now!

On Monday 27th September 2021, old Standard Contractual Clauses (SCCs) were replaced by new Standard Contractual Clauses. 

Sounds great! In reality, what does all this mean?

Out with the old, in with the new

Whilst the old SCCs could be applied as a transfer tool to legalise personal data transfers outside the EEA, the new ones are two sets of SCCs:

  • Set #1 – like the old SCCs, it is a transfer tool outside EEA
  • Set #2 – a new set of rules that can be used as a standard Data Processing Agreement (DPA) for data transfers between a controller and a processor within the EEA

The old SCC’s have been in force since the days of the Data Protection Directive (DPD) of 1995. Much has changed since then. Most notably the DPD was replaced by the GDPR in 2018. However, the courts have also been actively shaping the way the laws need to be interpreted. With the Schrems II ruling that created a lot of waves, the CJEU added additional obligations on organisations that want to transfer personal data to countries outside the EEA.

These developments are reflected in the new SCC’s. For example, it is now necessary to assess the legal system and the data protection practices of the destination country. This is to see if the standard for the protection of the data is guaranteed.

Another upgrade to the SCC’s is that they now follow a modular approach. This allows them to cover all kinds of transfer scenarios to third countries that don’t enjoy the ease of having an adequacy decision. This brings certainty for the data transfer scenarios processor to controller and processor to processor, which were not covered under the old SCC’s.

The new SCC’s include the following modules:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

Will the old SCCs be invalid?

The message is clear, there is no need to panic! If you have entered into the old SCC’s before 27th September 2021, they will remain valid until 27th December 2022. This is provided that supplementary measures required by the Schrems II decision have been implemented. In other words, you must assess the data protection level offered by the destination country and introduce mitigation measures if it is not essentially equivalent to the level of protection offered in the EU.

From 27th September 2021, you will have to use the new SCC’s as a transfer tool. It would be prudent to already start thinking about replacing existing data transfers that rely on the old SCC’s as the designated transfer tool. In the future, they will have to be migrated to the new SCC’s or a different mechanism such as Binding Corporate Rules (BCR’s).

What changes are there to data transfers between the EEA and the UK?

There’s no need for SCC’s as both the UK government and the EU commission adopted adequacy decisions. This means that the data protection regimes are seen as offering an essentially equivalent standard of data protection. Personal data can therefore flow freely between the UK and the EEA.

What about data transfers from the UK to third countries?

The UK government has stated that the old SCC’s will remain valid for existing and new transfers to third countries. However, it may be necessary to amend them to reflect that they apply to the UK and not the EU. The Schrems II decision also impacts the UK and therefore requires assessing the destination country’s level of data protection. If said level is not essentially equivalent to the one offered in the EU, mitigating measures need to be introduced. The ICO published UK versions of the SCC’s to reflect the necessary changes.

The new EU SCC’s are not part of the retained EU law in the UK and therefore be used for transfers from the UK to third countries. The ICO is currently involved in a consultation on the new SCC’s, but it is not clear what the outcome of it will be, or when.

Can I use the new SCC’s instead of my own DPA within the EEA?

Preferably not. However, you can still use your custom DPAs if they are compliant with Article 28 of the GDPR. However, to ease your DPA negotiations, you might want to consider switching to the standard set of DPA rules set out in the second set of SCC’s.

Here is a useful checklist

Here are the next steps you should take if you are using the old SCC’s:

  1. List all personal data transfers outside the EEA
  2. Find the ones that rely on SCC’s as the designated transfer tool
  3. Reach out to the data importer to start the migration to the new SCC’s or a different transfer tool
  4. Determine which module(s) of the new SCC’s apply
  5. Conduct and document an assessment of the legal system and privacy practices of the destination country. Implement mitigating measures (Schrems II)
  6. Ensure that all the old SCC’s are replaced by 27th December 2022

Unsure what to do next?

Then book a call with us. You can call us, yes we have human beings that like to talk, on 03333 22 1011 or you can contact us here.