New Standard Contractual Clauses:  Implementation and December Deadline

PUBLISHED: 1st November 2022

The European Commission published updated Standard Contractual Clauses (SCCs) under the GDPR on 4 June 2021.

Organisations have until 27 December 2022 to incorporate the new SCCs into all existing contracts that use standard contractual clauses. 

What are SCCs?

SCCs are a mechanism for the international transfer of personal data.  The SCCs have been approved by the European Commission for use when personal data is being transferred to countries outside the EU that have less robust data protection laws (third countries).  

Once properly implemented, SCCs provide a means for organisations to legally transfer personal data to third countries.  SCCs are not the only option but are becoming the most popular transfer mechanism.

Are SCCs relevant to your organisation? 

If your business collects any personal data relating to EU citizens and transfers that data to countries outside the EU, then you should know about SCCs.

The GDPR places obligations on organisations which store or interact with the personal data of EU citizens.  One important aspect of the GDPR is that those obligations continue to apply to organisations that transfer personal data outside the EU.  What constitutes a ‘transfer’ is broadly defined, but some common activities that would constitute a transfer of personal data outside the EU may include where:

•    An organisation uses a HR platform to manage its EU employee data (for example, to process time off requests or payroll) and the platform has servers that are based outside the EU.
•    An organisation has offices both within and outside the EU and allows all offices (including those based outside the EU) to access the personal data of EU customers in order to develop its products.
•    An organisation uses a cloud service provider (such as Google Drive, Dropbox or Sales Force) to store personal data and that cloud service provider stores the personal data in servers outside the EU.
•    An organisation uses an international IT support provider with engineers based in Ireland who need to grant access to individuals outside the EU to carry out repairs.
•    A retailer has a website that collects user email addresses for a newsletter where the website or email platform is hosted outside the EU. 

What has changed in the SCCs?

The layout of the new SCCs is different – they are now presented as a single document in a modular form allowing the appropriate contract to be built for a particular scenario.  The scenarios offered are as follows.

1    Module 1: Controller-to-Controller transfers.
2    Module 2: Controller-to-Processor transfers.
3    Module 3: Processor-to-Processor transfers. 
4    Module 4: Processor-to-Controller transfers.

The new SCCs also place significant additional obligations on the data exporter and data importer.  Firstly, clause 8 requires the data exporter to warrant that it has used reasonable efforts to determine that the data importer is able to satisfy the obligations of the SCCs.  In practice this means that, prior to entering into these clauses with another party, the data exporter is required to carry out a certain amount of due diligence on the data importer to ensure it is able to satisfy its obligations under the SCCs, i.e., it is no longer sufficient to simply rely on the data importer having signed up to those obligations.  The data exporter could otherwise be held liable for any breaches of data protection law that are later found to have been caused by a data importer.

Secondly, clause 14 (which codifies Schrems II) requires both parties to warrant that they have no reason to believe that the laws and practices in the third country of the data importer prevent the data importer from fulfilling its obligations under the SCCs, based on  the understanding that “laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society”. 

These changes indicate that the European Commission expects that a Transfer Impact Assessment (TIA) will be carried out prior to entering into the new SCCs.  

Additionally, the SCCs allow third party beneficiaries (data subjects) to enforce their rights under the SCCs notwithstanding that they are not a party to the contract.  When the SCCs were first released in draft form by the European Commission, it was noted by many commentators that this requirement would preclude the SCCs from being governed by Irish law which typically excludes third party contractual rights under the principle of ‘privity of contract’.   This necessitated a change to Irish law, which was implemented by statutory instrument inserting a new section 117A into the Data Protection Act 2018 and permits data subjects whose personal data is included in a transfer to enforce the rights conferred on them under the SCCs.  This ensures that SCCs can be governed by Irish law, which will be a welcome relief to many businesses.

What do you need to do?

Identify affected contracts and prioritise remedial works appropriately.

A review of existing contracts containing the previous version of SCCs should already be well underway within organisations.  This should include carrying out TIAs in respect of affected vendors and customers and issuing new SCCs to them.  If under pressure for time, organisations might opt for a risk-based approach to updating existing contracts, starting with the contracts that are the highest risk, i.e., those that are transferring particularly sensitive types of data or contracts that are particularly business critical.  Other indicators of high-risk contracts include those that matter most to your customers and may lead to issues with customer retention if they are not updated.  

Organisations are reminded that all new contracts requiring SCCs must include the new SCCs. The new SCCs are available here.

The Team at LK Shields is available to provide legal advice and practical insights to any business concerned about data protection issues and how they might affect their business.  For more information, please contact dataprotection@lkshields.ie or Aideen Burke at aburke@lkshields.ie.