Where Personal Data is concerned the landscape is always developing and the most recent development, beyond the EU’s determination of the UK as ‘Adequate’, is the approval and issuing of new Standard Contractual Clauses (SCCs) by the European Commission. We discuss below the instances in which SCCs are necessary, and compulsory, for your business, the changes between the new SCCs and their previous versions as well as the timeline moving forward for the SCCs.
When should you use SCCs?
Wherever there is a transfer of personal data from a country based within the European Economic Area (EEA), including the UK even beyond Brexit, there are requirements within the GDPR and the UK GDPR directly that need to be complied with. These requirements are called safeguards. There are a group of safeguards set out which include adequacy, which is what the UK and EU based entities rely upon for any transfers of data between them.
Where the third party country, being the country outside of the EEA, does not have a favourable adequacy decisions, such as the US, then alternative safeguards will need to be incorporated to secure transfer the data and protect the individual whose personal data is being transferred.
Standard Contractual Clauses are one of these safeguards. In simple terms they are an approved and rigid set of clauses to be incorporated into any agreement between a data controller, usually the Client, and a data processor, usually the Supplier. They govern the relationship form a perspective which is focussed on the personal data and ensures that both parties’ obligations in regards to the data are within the contract.
If you use service providers based outside of the EEA, such as a US based tech company, you should ensure that SCCS are within your contractual agreement with them; otherwise you will be non-compliant with the GDPR.
If you are unsure if you need SCCs in a contract with a supplier, or with a client of yours, get in touch with us through our contact form for a free, initial consultation.
What has changed in the new SCCs?
Primarily the biggest changes among the SCCs are the scope which they apply towards. Previously the SCCs did not cover situations for processor-to-processor transfers; such as where you are providing a service to an organisation in the EEA (and are doing so as a processor), and you wish to use a sub-processor based outside of the EEA, such as in the US or UAE.
In addition to widening the types of transfer covered, the new SCCs are also able to facilitate relationships of more than 2 parties; which could allow for three or more parties to be present within one set of SCCs. In fact the SCCs as a whole have been updated, most importantly, to be more compliant with the GDPR itself and as a whole these updates should be beneficial in protecting the individuals whose data is being transferred; the main goal of the GDPR.
However the SCCs do not only bring with them flexibility and mouldable features, they unfortunately also bring significantly more onerous obligations on the party, or parties, based outside of the EEA. This will mean organisations based in the US will have more obligations to factor into their operations which could, in the short term, affect the market and availability of using these firms.
In regards to the timeline for transitioning from the old SCCs onto the newer versions this is to be done in a staggered approach. The new SCCs took effect on June 27th 2021 and can be used at any point following this. Meanwhile the old SCCs can be used for need data transfers upto September 27th 2021.
From the 27th September any new contracts including data transfers should not be using the old SCCs, in fact they would not be complaint with the law, and instead should be using the newer versions. However any contract agreed before 27 September, including ongoing contracts, will still be able to legally rely upon pre-agreed SCCs for a period of time.
Any legacy agreements, relying upon the old contractual clauses, will however have to be moved onto the new standard contractual clauses by 27 December 2022.
As the new SCCs are legally effective currently it would be best practice to incorporated the new SCCs into these, to save any extra admin down the line from September or even heading into the end of 2022.
If you would like assistance with your data protection and ensuring the use of any of your third parties outside of the EU is compliant currently and beyond the 27th September please feel free to get in touch with Ben Rose by telephone at 01273 447 065 or by email to [email protected].