Harris Kyriakides
Harris Kyriakides

Migration to the new Standard Contractual Clauses

Posted on 30 November 2022 | 3 mins read

Businesses have until 27 December 2022 to migrate all contracts that use the old standard contractual clauses to the new model contract clauses (i.e. standard contractual clauses) for international data transfers from EU to third countries.

New Standard Contractual Clauses

On 4 June 2021, the European Commission adopted new Standard Contractual Clauses (the SCCs) for international transfers under the Regulation (EU) 2016/679 (GDPR). The new SCCs are to replace the previously adopted SCCs and a transition period is granted until 27 December 2022 to switch to the modernized SCCs. After 27 December 2022, it will no longer be possible for businesses to rely on the previous SCCs to lawfully transfer personal data to third countries.

 

What are the most important changes?

 

  1. Broadened scope: The new SCCs supplement the existing controller-to-controller (C2C) and controller-to-processor (C2P) modules with processor-to-processor (P2P) and processor-to-controller (P2C) modules.
  1. GDPR alignment: The new SCCs adhere closely to the language and rules of the GDPR.
  1. Docking clause: The new SCCs make multi-party arrangements easier by enabling new parties to join the existing parties in the international data transfer agreement at any time during the agreement’s lifetime.
  1. Transfer Impact Assessment (the TIA): The new SCCs require that data exporters and importers complete a transfer impact assessment to determine if the third country’s laws and practices present a barrier to the data importer’s compliance with the new SCCs.
  1. Active accountability: The new SCCs make clear that data exporters and data importers must be able to show both initial and continuous compliance with the new SCCs.
  1. Explicit data subject rights: The new SCCs now explicitly mention that, upon request, data subjects must be given a copy or an overview of the global data transfer agreement. Additionally, they must be informed of any access requests made by competent authorities (if permitted) as well as any high-risk data breaches.

 

What do businesses need to do?

 

To the extent not already done, businesses need to ensure that they:

  1. review their data transfers and transfer mechanisms;
  1. from 27 December 2022, implement the new SCCs into any new international data transfer agreements;
  1. by 27 December 2022, modify any existing international data transfer agreement to include the replacement of the former SCCs with the new SCCs;
  1. notify counterparties to existing international data transfer agreements that the former SCCs must be replaced by the new SCCs by 27 December 2022;
  1. gather the data required to complete any documentation/SCCs, such as selecting the appropriate new SCCs module;
  1. carry out and record a TIA for each international data transfer made to ensure that data importers adhere to the requirements of the new SCCs; and
  1. become aware of their obligations under the new SCCs and have adequate procedures to ensure that these can be satisfied.

Conclusion

Not complying with the transition to the new SCCs and the new requirements imposed within the transition period would amount to a serious breach of GDPR. Accordingly, it is critical that businesses act to prepare to use the new SCCs and to migrate existing arrangements by December 27, 2022.

 

For more information please visit our website microsite on  Data Protection & Cyberlaw  or send your queries to [email protected]