Standard Contractual Clauses and Data Transfer Assessment: just how safe are your safeguards?

28/07/'21- Following the Schrems II judgement and the invalidation of the EU-US Privacy Shield, Standard Contractual Clauses (SCCs) have everybody’s full and undivided attention. Especially in view of the new set of SCCs recently published by the European Commission. While the hype surrounding these new clauses are lauding its modernization that better reflect the current state of data processing, the practical reality of their application is not nearly as straightforward. Organizations have their work cut out for them because the SCCs are no longer just an administrative formality, the protection guaranteed by the clauses must be effective. Organizations can no longer shy away from extensively evaluating who and where they are sending their data to, which must now be documented by means of a ‘Data Transfer Assessment’. Whether this is new to you or if you are just looking for answers, read my blog below.

A short recap - what are SCCs and what do they do? 

The GDPR expressly refers to SCCs as one of the possible transfer mechanisms that organizations can use to safeguard data transfers. SCCs, drafted by the European Commission, are publicly available model clauses which can be used by organizations to safeguard their transfers between EEA countries and countries outside of that area, also known as transfers between a data exporter (established in the EEA) and data importer (established outside the EEA).

What is the big deal with the new SCCs?

The new and improved SCCs were drafted in response to calls for modernization in the face of significant developments of the digital economy and the increasingly complex reality of personal data processing (in terms of the actual processing operations and the involvement of multiple parties in the processing chain). The modular approach combines general clauses with four different modules to cater to specific transfer scenarios:

• Module 1: Transfer from controller to controller
• Module 2: Transfer from controller to processor
• Module 3: Transfer from processor to processor
• Module 4: Transfer from processor to controller

In using these modules, the contracting parties are afforded a new degree of flexibility to tailor their obligations, depending on their role and responsibilities of the processing associated with the transfer of personal data. It is also possible for more than two parties to be party to the SCCs, even allowing others to accede as data exporters or importers at a later date through the introduction of a ‘docking clause’.

Data Transfer Assessments - with new flexibility come new responsibilities

So, is this just a matter of updating your contracts and substituting the old SCCs with the new ones? Can you bundle most of your transfers into a single set of SCCs, updating them where necessary? The short answer is no.    

Organizations acting as data exporters are required to evaluate and document their data transfers and the effectiveness of their transfer mechanisms by means of a ‘Data Transfer Assessment’. Specifically, under Clause 14 of the SCCs and in line with Schrems II, organizations are now required to perform and document a case-by-case verification (i.e., for each data transfer) of whether the law or practice of the third country impinges on the effectiveness of the SCCs.

Where the effectiveness of the SCCs, and as such the level of protection of the personal data, may be jeopardized (e.g., due to potential interferences by foreign national security and intelligence agencies), data exporters must implement ‘supplementary measures’ to fill in the gaps aimed at ensuring an essentially equivalent level of data protection. This assessment must be conducted prior to any commencement of the transfer of personal data.

It is important to note that supervisory authorities can request a copy of Data Transfer Assessments at any time and organizations can be held accountable for any decision taken based on that assessment. Supervisory authorities may suspend a data transfer if no Data Transfer Assessment can be provided or if they do not agree with the outcome of such an assessment.

The European Data Protection Board (EDPB) has published extensive guidance on the matter to support organizations in this exercise, such as their “6 step approach” (see overview below) for data transfers and recommendations on the European Essential Guarantees for surveillance measures.

Data Transfer Assessments will need to document the following:

• An extensive description of the specific circumstances of the transfer (e.g., number of actors involved in the processing chain, categories of personal data and data subjects concerned, storage location, and transmission channels and formats);
• Comprehensive information on the legal assessment of the law and practice of the third country and their application to the specific transfer;
• Any relevant supplementary measures taken (ranging from additional contractual, technical, and/or organizational safeguards);
• The internal procedure to produce the assessment (internal and external stakeholders who contributed to the assessment) and dates of checks; and
• An official endorsement by the legal representative of the exporter.

When do you have to act? 

Organizations can already use the new SCCs when signing new contracts today but must in ensure they are used exclusively from the 27^th of September 2021 onwards.

With regard to existing contracts containing the old SCCs, organizations have until the 27^th of December 2022 to replace these contracts with the new SCCs. Note, however, that this extended deadline for existing contracts does not exempt organizations from having to conduct the 6-step approach as described by the EDPB in reaction to Schrems II.

What now?

The new SCCs are not as straightforward as one might have thought and, for many, raise additional questions. This puts organizations in a tough spot as waiting is not an option – the new SCCs will need to be used sooner rather than later. Our advice is to start preparing today and begin with answer the following questions: what data transfers do you have, what transfer mechanisms are they based on, who are the recipients and where are they located? Our advice to organizations is to develop a Data Transfer Assessment template and procedure to structure such work.

Do you have remaining questions around data transfers and the recent developments in light of Schrems II and the new SCCs? Are you unsure how to best react to these developments or looking for guidance on where to begin? Considerati has advised many clients with Data Transfer Assessments and the management of their data transfers. Be sure to contact Jonathan Toornstra for more information on how we can support your organization.