Are you currently transferring personal data to third countries, i.e. countries outside the European Economic Area (EEA) or the European Union (EU)? Are you using “outdated” Standard Contractual Clauses (SCC)?
If so, you should take action immediatly, because the “outdated” SCCs won’t be valid as of 27th Dec. 2022.
The legal importance of Standard Contractual Clauses:
Standard Contractual Clauses are contract framworks adopted by the EU Commission. If transfering personal data to countries without an adequacy decision and without an exemption under Art. 49 GDPR, SCCs must be aligned between the data exporter and the data importer. The contractual obligation and further technical and organisational measures are intended to ensure an adequate level of data protection. This also applies to data transfers within corporate groups. Our next article deals with the current challenge of data transfer to the US.
How come the old SCCs are now becoming outdated?
After Schrems II – when on 16 July 2020 the European Court of Justice declared the EU/US Privacy Shield invalid in its ruling C-311/18 – the European Commission undertook a revision of the Standard Contractual Clauses (2010/87/EU) valid until then and published a new version or modules of standard contractual clauses (EU 2021/914), which are binding for the conclusion of new contracts as of 27 September 2021. Old SCCs initially retained their validity until 27 December 2022.
What are the implications?
At the end of the year, the deadline expires and existing contracts must be converted to the new SCCs. Consequently, one no longer meets the GDPR requirements when transferring personal data to a country outside the European Economic Area or outside the EU without an adequacy decision and without exemptions under Art 49 GDPR. Instead, there is a concrete risk of fines being imposed by the supervisory authorities.
First, check whether you are exporting data to third countries with no adequacy decision. Pay particular attention to US service providers. As a data exporter, carry out a Transfer Impact Assessment (TIA). Feel free to use our template for developing TIA! Determine which modules of the SCC may need to be renewed. Contact your contractual partners/service providers if you still have outdated standard contractual clauses. Convert to the new Standard Contractual Clauses together or, if necessary, change the service provider if this proves to be too difficult.
Regarding data transfer to the US, a new adequacy decision by the EU Commission could make the conclusion of the new SCC redundant. However, there are currently no indications that such decision will be published before 27th Dec. 2022.
Please find the latest news about EU and US data transfer in our next article.