What are Standard Contractual Clauses and why use them?
The transfer of personal data gathered in the European Economic Area (“EEA”) and the United Kingdom (“UK”) is strictly regulated by the General Data Protection Regulation (the “GDPR”). For instance, personal data can freely flow from the EEA to just 13 countries – countries that the European Commission (the “EC”) has deemed as having “adequate” data protection services laws and practices. Thus, companies collecting personal data in the EEA wanting to transfer this data to “inadequate” countries must apply “appropriate safeguards” to the data.
The most used safeguard is standard contractual clauses or commonly referred to as “SCCs.” SCCs are standardized and pre-approved contractual language, developed by the European Commission (“EC”), to ensure that all data transferred to any “inadequate” country has essentially the same level of protection as that provided by European Union law. Despite all the attention on the newly published SCCs, they are not actually new. The EC approved the prior version under the old Directive 95/46/EC (“Old SCCs“). For the reasons discussed previously, the EC published two new sets of SCCs on June 4, 2021. The “First Set” replaces the Old SCCs and should be used for international transfers of personal data. The “Second Set” (which is actually new) governs the transfer of personal data between controllers and processors – even those operating solely within the EU (for simplicity, the First and Seconds Set of SCCs will be collectively referred to as the “New SCCs”).
The New SCCs are the result of significant changes in EU law. While the Old SCCs addressed only controller to controller transfers in one set of clauses and controller to processor transfers in another set, the New SCCs are purportedly designed to be more versatile and easier to use. While they remain a combination of non-negotiable, standard clauses, they are in a modular format for transfers from (i) controller to the controller; (ii) controller to the processor; (iii) processor to processor; and (iv) processor to the controller.
Critically, businesses have until December 27, 2022, to replace all Old SCCs with the New SCCs. This will be a monumental task for some businesses. Advisori can help. We have the privacy practices lawyers, contract managers, and analysts necessary to handle any SCC update project.
We do the following to ensure that our clients meet their regulatory guidelines.
- We collaborate with internal stakeholders to identify and gather all contracts and artifacts required to scope the SCC remediation project.
- We examine all existing contracts and data transfers to identify contracts and SCCs that need to be updated.
- We develop a comprehensive project plan that includes deliverables and a tracking schedule.
- We create a detailed SCC remediation project playbook tailored to your company’s operations and size.
- Existing contacts are drafted/revised, and their SCCs are updated.
- We identify and work with those in the privity of contracts with our clients to ensure that all contracts are updated and executed.