On June 4, 2021, the European Union released a new version of the Standard Contractual Clauses (“SCCs”, or “Model Clauses”). The SCCs were first implemented in 2016 as part of the General Data Protection Regulation (GDPR). They are intended as template documents to ensure that the transfer of personal data from an EU Member State to third-party countries outside the European Economic Area (EEA) meets stringent safeguards. These requirements apply to any company based outside the EU that collects, uses, discloses, and stores personal information as part of their business practices.
While the current SCCs are not immediately invalidated with the implementation of the new templates, the new SCCs will come into effect on or about June 24, 2021, or some 20 days after the EU’s publication of the new Model Clauses. There is also a transition period of 18 months after the publication date to align any contracts a business has using the current SCCs transition to the new Model Clauses, meaning that businesses will have until December 2022 to comply with the new SCCs.
As a general rule, companies incorporate SCCs into their contracts to ensure that they comply with the GDPR in processing the personal information of their clients. Implementing SCCs allows the continual transfer of personal data even if a third-party country’s data protection laws are not consistent with or deemed equivalent to the GDPR. If a company does not have SCCs in place as part of their contracts, they run the risk of being non-compliant with the GDPR, which carries repercussions such as stop orders from the EU or fines of up to €20,000,000 in the event of a data privacy data breach.
The following is a summary of the changes to the GDPR’s Model Clauses / SCCs:
Single Point-of-Entry Scenario-Based Data Transfer
Under the previous templates, obligations were imposed on companies as data controllers and processors to process personal data based on their role. However, entities may at times find the obligations confusing and ambiguous, based on their interpretation of “controller” and “processor”. There are also issues with respect to the amount of personal data that can be sent to sub-processors (or sub-contractors) and how the obligations will flow to third party vendors.
The new clauses on data transfer allow an organization to better understand how personal data flows between controllers, processors, and sub-processors based on their relationship to one another. For instance, obligations between a company and their service provider can be interpreted as a controller-processor relationship, and the new data transfer agreement outlines the privacy protection requirements for this contractual arrangement. Similarly, there are sections outlining the requirements and data protection obligations for a processor using a third-party sub-contractor, and how information can flow between entities characterized as having that kind of relationship in the processing chain. Therefore, the new clauses are situation-based and help businesses better understand their obligations on the protection of personal data during transfer. An entity can choose to include the clauses based on the type of scenario within which data is being transferred.
The GDPR uses broad language in the technical requirements to protect personal data, such as “appropriate safeguards” and “encryption”, without being highly prescriptive. This is open to interpretation, thereby encouraging businesses to use industry-accepted technical standards such as ISO or SOCII to demonstrate their due diligence.
The revised GDPR SCCs have a technical “toolbox” that outlines the minimum requirements binding upon controllers, processors, and sub-processors of personal data. While they are still not prescriptive, the SCCs list a number of technical steps that may be used to safeguard personal data, such as:
Steps to pseudonymize and anonymize personal data
Data recovery and business continuity in the event of an interruption to business activities
Measures to protect personal data in transit and at rest
IT governance management
Minimization of data collection
Restriction of processing (including access, use, and disclosure) of personal data
Although these requirements remain high-level, the new SCCs set a minimum expectation of data protection without having to rely upon presumptions or inferences. This will reduce the amount of debate or controversy as data is being processed. Additionally, including these measures into a service agreement will assist auditors in evaluating if personal data is sufficiently protected in a processing agreement.
What remains unclear is whether or not complying with GDPR on technical standards stands for compliance with IT industry security standards. The GDPR remains high-level on this, as different industries may have more exacting technical standards, and the GDPR cannot override these requirements if they are absolute requirements. The intention appears to be striking a balance between the two.
What does this mean for your company?
If your company is processing personal information pertaining to EU residents or data subjects, you are subject to the GDPR and must comply with it. Compliance with the domestic privacy laws in your own country does not recuse you from complying with the GDPR and depends heavily upon the EU’s decision that your country is a safe haven for the processing of personal data. These are subject to change and rely upon the EU’s review of the data privacy laws in your country.
The new SCCs / Model Clauses are heavily situation-based to better outline the obligations businesses and other entities have in transferring personal data between data controllers and processors. They simplify and outline the minimum data protection requirements businesses can expect from their service providers.
When do I have to make changes?
If your business currently has an agreement with an EU-based customer or partner, now is an opportune time to review the clauses you have in place. The addition of the new SCCs does not immediately invalidate any agreement you currently have. You may continue to use the current SCCs for a further period of 3 months and 20 days, or up until September 24, 2021. Additionally, you will then have 18 months and 20 days to get the new SCCs into place, or full compliance by December 24, 2022.
At this time, if a contract of your business has included the SCCs, you may wish to implement the new SCCs sooner rather than later to ensure compliance. You must also consider using the new SCCs if you are negotiating a new deal that involves the transfer of personal data to and from the EU. Please consult with your legal counsel prior to making any decisions on revising current contracts you may have that include the SCCs.
No matter where you are located, incorporating the SCCs into your contracts with business partners, subsidiaries and service providers will help ensure that you remain compliant with the GDPR.
How can Kobalt.io help?
We provide a number of privacy compliance service options, including GDPR gap analysis. These engagements involve a complete inventory of the personal data your firm processes, mapping of the data to the GDPR legislative grounds that permit them, evaluation of any gaps, review of any service agreements in your firm and the use of SCCs and recommendations to close gaps and mitigate risk. Our SME is a certified information privacy officer with an EU designation (CIPP/E) and can provide the following services:
Privacy gap analysis, focusing on GDPR requirements (project-based);
Ongoing privacy and GDPR advice (regular retainer); or
Responding to and providing advice on handling data privacy breaches.
Although we provide gap analysis on the SCCs, we do not provide legal advice, and any gaps with a legal risk must be addressed directly with your lawyers.