The EU Commission has finally issued new Standard Contractual Clauses (‘SCCs’) which will replace the current SCCs. Under the GDPR, where personal data is transferred to countries outside the EEA that are not deemed to provide an adequate level of protection for personal data, an appropriate safeguard must be put in place. In many cases, SCCs will be the only practical solution.
The old SCCs have been heavily criticised over recent years as not being fit for purpose. For example, they did not adequately cover transfers by processors to third countries as they were only structured for an EEA controller to transfer data to a non-EEA processor or controller, but not for an EEA based processor to transfer data.
The new SCCs are more flexible and the following transfers are covered:
i. controller to controller;
ii. controller to processor;
iii. processor to sub-processor; and
iv. processor to controller.
For businesses currently relying on SCCs for data transfers from the EU, there will be an 18 month transition period for existing SCCs to be updated and a three month period for businesses to enter into new contracts using the old SCCs, in both cases from the date on which the Implementing Decision is published in the Official Journal of the European Union (OJEU).
The position concerning transfers from the UK is that the Information Commissioner’s Office (ICO) currently only recognises the old SCCs as a valid transfer mechanism. It is expected that new bespoke UK SCCs will be implemented but the ICO is also considering whether the new EU SCCs will be recognised.
For the time being, it is sensible to carry out a review of your data transfers to identify where data is transferred under the old SCCs and if data is transferred from the EU or the UK to third countries. Where data is transferred from the EU and the arrangement will continue for more than 18 months, new SCCs will need to be put in place. New contracts that will not be signed within the next three months will need to be signed using the new SCCs. Contracts that will be signed within the next three months, but will not last for more than 18 months, can be signed using the old SCCs. If you are transferring data only from the UK, you do not need to do anything just yet until there is further news from the ICO.
If you require assistance with identifying if you need to use the new SCCs or data protection law generally, please contact the Corporate and Commercial department at 3CS or your usual 3CS contact.