Standard Contractual Clauses (SCC) ensure the legally compliant handling of personal data in third countries whose level of data protection has not yet been assessed as adequate by the EU Commission.
If this is new to you we can recommend our Beginner’s Guide to Standard Contractual Clauses.
Standard Contractual Clauses have been around long before the GDPR. However, DSGVO and the Schrems II ruling have meant that the EU Commission has had to update them to ensure continued legal certainty.
These new SCCs have been in place since June 2021, and since then all new contracts must contain these updated clauses. For existing contractual relationships, a deadline has been set for the changeover: December 27th, 2022. By then, old contracts must have been updated with the new clauses, otherwise, businesses face penalties by data protection authorities.
We have put together a quick guide on how to update your standard contractual clauses:
1. Identify contracts
First, you should identify your contractual relationships with partners in third countries that work with your users’ personal data. Third countries are countries outside the European Economic Area (EEA). You can find a list of EEA countries here.
2. Check for adequacy
Next, you should check whether an adequacy decision by the EU Commission exists for the respective third country. If yes, data protection would be guaranteed and SCCs would not be necessary.
3. Review contracts
If there is no adequacy decision, you need to review the contracts and check whether the new Standard Contractual Clauses (SCC 2021) are included. Larger service and software providers such as Google or Microsoft make it easy for you: they have most likely already integrated the new SCCs into their terms and conditions. In the case of smaller providers in third countries, however, you should carefully check the respective contracts, usually the terms and conditions.
Note: Just because a provider has already integrated the new SCCs into their contracts it does not mean that the transfers are also compliant with the GDPR. Compliance requires further review – a so-called Transfer Impact Assessment (more on this in a moment) – which is likely to be negative for providers from the USA due to the Schrems II ruling.
How you can recognise the new SCCs:
The new SCCs consist of four modules for different scenarios of the relationship between data controllers and processors as defined by the GDPR.
In addition, you can easily recognize the new SCCs by the obligation for both parties to conduct a Transfer Impact Assessment (TIA) – this is a thorough analysis of the applicable law of the third country to assess any real or hypothetical risks that could jeopardize the security of the personal data.
If a risk is identified, the parties must agree on additional measures to ensure security. Again, this did not exist in the old clauses.
More details can be found here on the EU Commission’s pages.
4. Request an updated contract
If you find the SCCs have not been updated, you should ask your contract partner to integrate the new SCCs (make sure you use the correct modules!) into their terms and conditions and sign them again.
Important: SCCs may not be amended, only supplemented by additional clauses, as long as they do not contradict the wording of the SCCs.
Your SCCs should now be up to date. Both parties are now obliged to carry out the aforementioned Transfer Impact Assessment. We will have a guide on how this works on our blog soon.
Please note that this article is for information only and does not constitute legal advice.