SCC deadline Dec. 27, 2022 - Already done the changeover?
OLD STANDARD CONTRACT CLAUSES MUST BE ADAPTED
Introduction
Attention: Contracts concerning the transfer of personal data to countries outside the European Union or European Economic Area or to international organisations that have been concluded before September 27th, 2021 need to be replaced by the new Standard Contractual Clauses (SCCs) adopted by the European Commission until December 27th, 2022.
Why change?
According to Art. 44 et seq. of the General Data Protection Regulation (GDPR), regarding the transfer of personal data to third countries or an international organisation there are special requirement to ensure that the European data protection standards are met. One option is to use SCCs (cf. Art. 46(2)(c) GDPR). Last year, the Commission renewed its SSCs and adapted them to the current level of data protection set in the GDPR. Since then, the use of the old clauses is no longer sufficient, which also means that contracts concluded before September 27th, 2021 using the old clauses must be replaced by the new SSCs.
For more background information on the new SCCs, their opportunities and risks, see our blog post from June 2021 at https://rickert.law/en/the-new-standard-contractual-clauses/.
Has the Executive Order changed anything for data transfers to the United States?
On October 7th, 2022, President Biden signed an Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities (E.O.) to implement the U.S. commitments under the EU-U.S. Data Privacy Framework (https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/).
However, this E.O. has no immediate impact on European companies that transfer personal data to the United States. It has yet to be reviewed by the European Commission and evaluated in terms of data protection law. As long as there as been no adequacy decision (cf. Art. 45(3) GDPR), companies still have to use SCCs.
What are the challenges?
The new clauses of the European Commission have a modular structure: There is a choice between modules for four different constellations. The new SSCs also contain various annexes that need to be adjusted to the specific case for transparency reasons.
Furthermore, the use of the SCCs does not exempt you from carrying out an individual risk assessment in the specific case. This means that additional reviews must be carried out to determine how the data is protected in the specific third country or in the specific international organization and what obligations may result from this.
You must review whether the legal situation and the processing of any requests for information from an authority in the third country can ensure adequate protection of personal data. It is therefore also necessary to check your existing contracts to see whether any agreements made there still correspond to the current level of data protection and, if not, to renew them as well. Your company may also be exporting data of which you were previously unaware and which must be put on a legally sound footing.
- Do you need help with implementing the new SCCs or doing data transfer impact assessments?
- Are you unsure whether adjustments need to be made to your current contracts?
- Or do you have further questions about data transfer with third countries or international
organisations?
As a law firm specializing in data protection and IT law, we are happy to answer all of your questions and support you with your GDPR compliance.
What happens if I miss the deadline?
If a supervisory authority finds a transfer of personal data to third countries or international organisations without an appropriate legal basis, it may impose a fine under Art. 58(2)(i) in conjunction with Art. 83(5)(c) GDPR, of up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The supervisory authority may even order the suspension of data flows (cf. Art. 58(2)(j) GDPR).