top of page

Tips to Comply with the New SCCs if you have EU customers

The European Commission (EC) recently issued its revised standard contractual clauses for data transfers to third countries. The Commission published two sets of new SCCs. The first set replaces the old SCCs for cross-border data transfers to third countries. The second set is for use between controllers and processors.

These contractual clauses can be the basis for data transfers from controllers or processors in the EU/EEA to controllers or processors outside the EU/EEA (not subject to the GDPR) and will hopefully bring uniformity to such relationships. The EC defines this new version as a way of providing better legal certainty for European businesses wanting to share data with third countries.

Service providers in the US and other third countries should expect EU customers to update their present data transfer agreements in compliance with the updated SCCs by December 2022. Complying with the new SCCs will require a significant amount of time and effort for implementation.

Below are some recommendations for service providers to consider when implementing the new SCCs with their EU customers.

1. Confirm the role of the data exporter and data importer

One of the biggest differences in the new SCCs is that the new SCCs adopt a modular approach. The implementation structure of the new SCCs includes four "modules" to encompass personal data transfers from a legal entity within the EU to that in a third country. The role of the data exporter and data importer determines which module to be followed for the different cross-border data transfer scenarios. The service provider should understand their role and their EU customers' role to identify the most appropriate module for their agreement. With the updated SCCs, it is possible for more than two parties to adhere to contract terms. This more complex contractual "eco-system" was not contemplated by the old SCCs.

2. Be prepared to handle new data subject rights

The old SCCs allowed data subjects to enforce third-party beneficiary clauses only against the data importer or the sub-processor. However, the new SCCs give data subjects the ability to enforce provisions against data exporters and also significantly extend the obligations for importers. Adopting and complying with the new SCCs may require considerable effort for these importers. Some of the obligations include privacy notices, notification of breaches, maintaining records of processing activities, and responding to data subject rights.

3. Build a data inventory (Data Map)

As discussed above, the new SCCs place major obligations on data importers, including responsibilities for transferring personal data to subcontractors. The importer will not be able to meet these obligations without a clear understanding of their data flows and records of processing activities.

4. Perform Transfer Impact Assessment

Perform transfer impact assessment (TIA) to assess whether the laws of the country into which data is imported will compromise data protections afforded under the SCCs and whether “supplementary measures” are needed to ensure adequate protection. All parties to the SCCs must also be able to show their compliance with the SCCs and keep a record of the data processing activities.

Data importers are required to notify the data exporter where it has received a data access request; assess the legal validity of such requests; and pursue legal remedies against such requests.

5. Update agreements with subcontractors

The new SCCs impose new obligations on the parties to ensure that such onward transfers are consistent with the SCCs. It is important to revise the agreements with subcontractors, so they are subject to the same obligations in accordance with the new SCCs.

6. Implement organizational and technical safeguards

The data importers and exporters should employ additional technical and organizational measures to ensure the security and privacy of personal data. Practices like data encryption, data minimization, and limited data retention should be adopted, along with additional measures for protection during transfer and storage of data. Security is a key focus area for the regulators, so it would be important to revisit this as a high priority.


Featured Posts

Recent Posts

Follow Us

  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page