Until December 27, 2022, personal data controllers and their authorized persons for the purposes of personal data protection legislation must conclude the new standard contractual clauses adopted by the European Commission from June 4, 2021 (“new SCC”) when transferring or entering available personal data to other companies under outside the EU, including other group companies, or various service providers.
Standard Contractual Clauses are a transfer mechanism under EU Regulation 2016/679 (GDPR) that many companies rely on in practice to ensure an adequate level of data protection when transferring data outside the EU. The new SCCs strengthen this protection by replacing the old standard contractual clauses adopted under the previous Directive 95/46 on the protection of personal data.
The conclusion of new SCCs requires companies to review contracts with suppliers, customers or other contractual partners and analyze related data flows, if the provision of services in the contract involves the access or disclosure of personal data outside the EU.
Some of the main changes introduced by the new SCCs that companies should consider when signing the new SCCs are:
- the content of the new SCC provides for more detailed obligations for both companies and their suppliers located outside the EU, as well as a number of comprehensive annexes that must detail the transfer of data and implement technical and organizational measures;
- determining the applicable module depending on the qualifications of the parties – the new SCCs offer a modular approach covering four modules from which companies must choose depending on the qualifications of the parties (operator-operator, operator-authorised person, authorized person-authorised person, authorized person-operator);
- the obligation of the parties to carry out an impact assessment of the data transfer by analyzing the level of protection offered by the state to which the data is transferred.
Therefore, the implementation, accordingly the transition to the new TOUs is not a simple formality of signing them, but requires significant efforts and resources, and companies that have not yet taken this step should take steps to comply, given that the deadline is fast approaching. And this is all the more so since non-compliance with the provisions on transfers outside the EU can be punished according to the GDPR with a fine of up to 20,000,000 euros or 4% of the turnover.
The article is signed by Carla Philip (attorney), privacy lawyer at Schoenherr and SCA Associates, and Marta Tudor (attorney), privacy lawyer at Schoenherr and SCA Associates
Ashley Bailey is a talented author and journalist known for her writing on trending topics. Currently working at 247 news reel, she brings readers fresh perspectives on current issues. With her well-researched and thought-provoking articles, she captures the zeitgeist and stays ahead of the latest trends. Ashley’s writing is a must-read for anyone interested in staying up-to-date with the latest developments.