Standard Contractual Clauses (All You Need to Know)

Data is sensitive, and ensuring the integrity and security of the personal data of the citizens of the European Union (EU) is one of the key objectives of the General Data Protection Regulation(GDPR). The GDPR law aims to protect the interests of data within and outside the boundaries of the EU. How does it do that? How does the European Commission exercise its power outside the purview of its jurisdiction? 

That is where Standard Contractual Clauses (SCCs) come in. The SCCs aim to protect the privacy of the data subject in international data transfers and when within the EU. 

Here’s a simpler version of what SCCs really are!

When an organization legally sends personal data to another organization that’s outside the European Economic Area (EEA). There are certain rules both parties will have to abide by to remain compliant and avoid heavy penalties.

These rules (legal documents) are executed in the form of Standard Contractual Clauses(SCCs).

Also, we’ve explained who a Controller, processor, and sub-processor is in the article. So, don’t worry, this should be a pleasant read 🙂

In this article, we aim to:

The new SCCs were introduced on June 27, 2021. These are an updated set of standards drafted by the European Commission which will replace the old/existing SCCs by December 22, 2022.

We will dive deeper into the two new sets as we go further in this article.

Who do EU Standard Contractual Clauses apply to?

EU standard contractual clauses apply to organizations with partners outside the EU, organizations with global supply chain reach, and organizations that outsource to offshore areas are in the purview of SCCs. They are expected to uphold the desired data integrity and security practices.

The new EU Standard Contractual Clauses 2022 apply to:

• Controller to Controller (C2C)
• Controller to Processor (C2P)
• Processor to Processor (P2P)
• Processor to Controller (P2C)

Why were the New Standard Contractual Clauses created?

New Standard Contractual Clauses (SSCs) have been used since 2001 and were updated in 2004 and 2010. However, since the GDPR Certification was implemented in 2018, the directives that laid the foundations became dated and could no longer accommodate the ever-growing complexity of the controller–processor relationship.

The New Standard Contractual Clauses were created in response to the European Union Court of Justice’s (ECJ) opinion in the Schrems II case. In this case, the ECJ emphasized that organizations must conduct a case-by-case analysis of whether the personal data shared with foreign nationals meet the European Union’s demands regarding data protection.

New guidance from the EU Standard Contractual Clauses provides helpful information for anyone who wants to understand when additional appropriate safeguards are needed. This ensures appropriate data protection standards when personal data is transferred from the EU to third countries, including the United States.

Types of GDPR Standard Contractual Clauses

Currently, there are two types of SCCs that organizations are abiding by. The old one and the new one.

The old one has remained unchanged, and the European Commission has mandated that all organizations under the purview of GDPR must comply with the new Standard Contractual Clauses by December 27, 2022.

The new GDPR Standard Contractual Clauses are classified into two sets.

Set 1:
It oversees the transfer of personal information (data) outside the European Economic Area (EEA)

Set 2:
This set oversees the nature of the relationship between parties involved in the cross border data transfer such as GDPR data controllers and processors.

Implementation of Updated Standard Contractual Clauses

 The European Commission issued an implementing decision on standard contractual clauses on June 4, 2021. These new SCCs will apply to all transfers of personal data to countries outside the EEA that rely on these clauses as a legal transfer mechanism. 

The Commission also decided that when an amendment to an existing data transfer agreement is made during this period, the previous SCCs must be replaced by the new SCCs.

That translates to:

While many responsibilities were carried on and implemented in the new SCCs from the older ones, few new ones were added to ensure that the new SCCs mirror and accommodate the requirements of GDPR Compliance Checklist. They are:

Data Importer Obligations:

The new SCCs are more focused on data importers who also double up as data controllers compared to the legacy versions of SCCs.

Transfer Impact Assessment

The old SCCs were not designed to protect personal data that were transferred to third countries against government access of host nations. The new SCCs are designed to protect data privacy and address government access.

New circumstances are being evaluated to ensure that data importers from host (third) countries and their respective governments are required to follow the policies set by the new SCCs.

Changes in implementation with New GDPR Standard Contractual Clauses

If this is the first time you are implementing SCCs, we recommend you become compliant with the new SCCs. For those transitioning from the old SCCs to the new ones, we’ve listed steps to follow to ensure that you don’t miss anything crucial.

• Identify and examine all your agreements with third-party vendors, including EEA data transfers. Then, start working on the most crucial ones and ensure that you have executed new SCCs by December 27, 2022.
• Map your data sent to third countries both actively and passively. This will help you cover blind spots that could get mislabeled. For example, Analytics, Customer Service, and more
• Run a transfer impact assessment to ensure that you comply with all the points listed by the board.
• Identify parties involved in every transaction and categorize them as importer, exporter, processor, sub processor, and controller for visibility and transparency.
• Ensure that all your data processing agreements with your vendors comply with the new standards.
• Ensure that the correct modules are used for each transaction. And, do not fail to fill SCCs and get them signed by both parties wherever applicable.
• In certain instances, you will have to conduct a case-by-case analysis of the security risks involved in the transaction and list the security measures you are taking.
• If you are required to respond to government and law enforcement agencies, please refer to the policies and processes in the new SCCs before framing a formal response.

Non-compliance:

Suppose a personal data transaction to a third country breaches the guidelines in Articles 44-49 of GDPR. In that case, the parties involved could be fined USD 23 million or 4% of their annual revenue, whichever is higher.

Conclusion:

The new SCCs aim to protect user data in cross-border transactions, and we recommend you comply with the latest norms to ensure that you are on the right side of the law.

If you need assistance in becoming GDPR compliant, contact us. Our compliance experts will be happy to help you.

FAQ

What are Standard Contractual Clauses in GDPR?

Standard Contractual Clauses are another form of legal binding to protect the data privacy interests of the EU’s residents. When one organization transfer user data to another organization for processing activities, they sign this legal document as an attestation. This shows that the company receiving the data is GDPR compliant and will conduct data processing activities according to the guidelines of GDPR.

What are the new changes in GDPR Standard Contractual Clauses?

• Identify and examine all your agreements with third-party vendors, including EEA data transfers and ensure that you have executed new SCCs by December 27, 2022.
• Map your data sent to third countries both actively and passively. This will help you cover blind spots that could get mislabeled. For example, Analytics, Customer Service, and more
• Run a transfer impact assessment to ensure that you comply with all the points listed by the board.
• Identify parties involved in every transaction and categorize them as importer, exporter, processor, sub processor, and controller for visibility and transparency.
• Ensure that all your data processing agreements with your vendors comply with the new standards.
• Ensure that the correct modules are used for each transaction. And, do not fail to fill SCCs and get them signed by both parties wherever applicable.
• In certain instances, you will have to conduct a case-by-case analysis of the security risks involved in the transaction and list the security measures you are taking.
• If you are required to respond to government and law enforcement agencies, please refer to the policies and processes in the new SCCs before framing a formal response.