Standard Contractual Clauses (SCCs) are a key mechanism by which organisations can transfer personally identifiable data to/from countries outside European Economic Area (EEA). This mechanism is particularly relevant for countries that have not received an adequacy decision by the European Commission. Usually, countries outside the EEA are referred to as “Third Countries”. SCCs are published by the EU and must be included unchanged in contracts. The UK regulator has a mechanism similar to the EU SCCs.
SCCs are model data protection clauses that have been standardised and pre-approved. SCCs are considered “safeguards” that ensure controllers and processors remain compliant to their duties under EU data protection law, whilst preserving the data subjects’ rights.
SCCs and the UK
EU SCCs are not valid in the UK. However, a similar approach is in place. The ICO (Information Commissioners Office) held a consultation on the adoption of new Standard Contractual Clauses (SCCs) for the UK in response to the divide between the EU and UK caused by possible Brexit. As a result, the UK Addendum and the International Data Transfer Agreement (IDTA) came into force on the 21st of March 2022. The IDTA or the UK Addendum may be used, as preferred by the controllers and processors. Unlike the New EU SCCs, the IDTA does not include all mandatory clauses required in a controller to processor data processing arrangement. Thus, a separate data processing agreement will be necessary, whereas the UK Addendum is meant to be used in tandem with the new EU SCCs.
The EU Commission issued new modernised SCCs under the GDPR. These new SCCs became applicable from the 27th of June 2021 in the EEA and the 21st of March 2022 in the UK. Since the 27th of September 2021 (EEA), and the 21st of September 2022 (UK), contracts containing these previous sets of SCCs cannot be executed anymore. For contracts signed before September 27th, 2021, controllers and processors may still rely on those previous SCCs through December 27th, 2022, provided that the processing operations covered by the contract do not change. As for the UK, the transition period for replacing the old SCCs expires on the 21st of March 2024.
What has changed in the EU and with the updated SCCs?
The new SCCs take a modular approach to the types of transfers carried out. For example, controller to controller transfer, controller to processor transfer, etc., each have separate modules. The new SCCs can now contain a docking clause allowing multi-party contracting. This is an optional clause by which the parties to the SCCs can agree to allow for future participation by other parties. The latest SCCs impose a duty on importers for increased reporting and documentation. Following European Data Protection Board (EDPB) guidance, supplemental measures must be specified and applied by all importers. Otherwise, the variances must be noted. Furthermore, exporters to Third Countries can now use SCCs. The SCCs must, however, be passed down the chain of onward transfers by implementing such provisions in each transfer agreement. The data importer will be subject to the jurisdiction of EU supervisory authorities.
Your Business and SCC’s and what you should be checking as the deadline approaches
To help you check whether you might have work to do to ensure compliance with the new SCC’s and meet the deadline, here are some helpful questions;
- Do you use cloud-based services or other international service providers and have not updated your contracts with them (except for Microsoft/ Salesforce etc, as their contracts were updated automatically)?
- Do you have affiliates in third Countries that can access your data, or do you provide them with IT services, but either do not have an “Intra-Group Data Transfer Assessment” or do have such a contract, but have not updated it since 2021?
- Do you have processors in third countries, that process EU personal data or provide them access to EU personal data, but have not updated your data protection clauses with them?
- Are you using the new EU SCC’s without having notified the Federal Data Protection Information Commissioner about their use? [only Switzerland]
- Do you transfer personal data to parties in third countries using the EU SCC, but have you conducted a Transfer Impact Assessment/ Transfer Risk Assessment for the UK?
If you answered yes to any of the above questions, you should be aware of the need to take action in which HewardMills is available to support you. Contact us at email@example.com