SCCs – International Transfers
- International transfers
What is the new SCC?
Organizations subject to the EU GDPR are subject to Article 45 EU-DSGVO (with the exception of Article 45 EU-DSGVO (that is, unless they provide an “appropriate guarantee” within the meaning of Article 46 EU-DSGVO (with the exception). There is no decision on the validity of the European Commission (unless applicable). The SCC adopted by the European Commission is the most widely used “reasonable safeguard” today.
The SCC imposes contractual data protection obligations on non-EEA organizations, and (ii) if any data subject fails to comply with these contractual data protection obligations, they will be in breach of contract in Europe. You can sue non-EEA organizations.
When will the old SCC be replaced?
European Commission decisions 2001/497 / EC and 2004/915 / EC (relationships between managers) and decisions 2010/87 / EU (relationships between managers and processors) caused earlier SCCs to be 9 It will be officially cancelledon the 27th of March. 2021. It cannot be included in data transfer agreements entered into after September 27, 2021.
Data transfer agreements, including previous SCCs entered into before September 27, 2021, remain unchanged in the processing operations covered by the agreement, and due to their reliance on these terms, transfer data for personal data. Is subject to reasonable safeguards. These need to be changed by December 27, 2022 and replaced with the new SCC.
Who can use the new SCC?
The new SCC works in different types of relationships.
- EEA relationship for controllers not EEA related (previously used by SCC under decision 2001/497 / EC modified by decision 2004/915 / EC version);
- EEA controller and non-EEA controller EEA processor relationship (previously handled by SCC under decision 2010/87 / EU);
- Processor-Non-EEA-Sub processor relationship (this was not previously dealt with by the SCC under Decision 2010/87 / EU, so it could only be signed by a processor with attorney’s authority from the controller);
- Relationship between EEA processors and non-EEA controllers (previously not addressed by SCC).
What are the new features of these SCCs?
The new SCC imposes even more obligations on non-EEA administrators and processors, especially with respect toinformation to data subjects, reporting of personal data breaches, and transfer outside the EEA. Data importers ensure that third-country laws and customs at their destination do not prevent data importers from fulfilling their SCC-based obligations, including requirements for disclosure of personal data and measures that allow access by authorities. Requests evaluation and declaration. .. It also includes a “docking clause” that allows additional parties to participate.
Are they also relevant under the UK GDPR?
The new SCC will not function within the meaning of Article 46 of the UK GDPR (that is, the EU GDPR contained in UK law under the European Union (Withdrawal) Act 2018). The previous SCC should continue to be used by companies subject to the UK GDPR. The UK Data Protection Authority (ICO) confirmed at the 2021 Data Protection Working-level Conference that it is working on a new SCC specific to the UK.
What should organizations do next?
Organizations subject to EUGDPR and / or UKGDPR will (i) update the data protection attachment template with the new SCC, add the new SCC by September 27, 2021 at the latest, and (ii) implement the amendments. You should consider doing. Contracts containing new SCCs related to existing data transfer contracts by December 27, 2022 at the latest. Aservice provider, partner …) who has or is about to enter into a data transfer agreement.
To comply with the General Data Protection Regulation (“GDPR”), organizations must map and validate international data transfers and their corresponding transfer mechanisms so that the corresponding changes can be made in a timely manner.
Compliance, Schemes II, new SCCs and the most important changes:
Using standard contractual clauses does not automatically make an international data transfer compliant with the GDPR. The parties must adequately assess and document any international data transfer and must address the corresponding risks and take supplementary measures to the extent required. Schemes II and the European Data Protection Board’s (“EDPB”) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”) and Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Essential Guarantees”) provide relevant criteria in that regard.
The impact of Schemes II on international data transfers has been taken into consideration in the new SCCs, together with the need to align the former SCCs with the GDPR and bring them up to date with developments in the digital economy. The new SCCs provide a framework to structure what are termed ‘transfer impact assessments’ (“TIA”), and they shed light on parties’ obligations to conduct such a TIA.
The most important changes in the new SCCs are:
- Broadened scope: The new SCCs supplement the existing controller-to-controller (“C2C”) and controller-to-processor (“C2P”) modules with processor-to-processor (“P2P”) and processor-to-controller (“P2C”) modules.
- GDPR alignment: The new SCCS closely align with the terminology and provisions of the GDPR and have incorporated the requirements of Article 28 GDPR into the C2P and P2P modules.
- Docking clause: The new SCCs facilitate multi-party configurations by allowing new parties to accede to the international data transfer agreement between the existing parties throughout the lifecycle of the agreement.
- Transfer impact assessment: The new SCCs specify the requirement to conduct a transfer impact assessment. Data exporters and data importers need to assess whether the laws and practices of the third country pose a barrier to the data importer’s compliance with the new SCCs. The new SCCs list certain matters that need to be taken into account in that regard, ranging from the circumstances of the transfer to the nature of the parties and personal data involved, and from the laws and practices of the third country of destination to the existence of any supplementary measures. The EDPB’s Recommendations and the Essential Guarantees provide additional guidance on these aspects of the assessment.
- Active accountability: The new SCCs make clear that data exporters and data importers need to be able to demonstrate compliance with the new SCCs from the outset and on an ongoing basis. The new SCCs lay down the responsibilities and obligations for the data exporter and data importer; for example, the data importer’s obligations to perform a legality review and its notification and documentation obligations when it receives a legally binding request to access personal data from competent authorities.
- Explicit data subject rights: The new SCCs now explicitly mention that, upon request, data subjects must be provided with a copy or a meaningful summary of the international data transfer agreement. In addition, they need to be notified in the event of a high-risk data breach as well as of any access request by competent authorities (if permitted).
Actions to be taken to the extent not already done, it is recommended that organizations ensure that:
- they review and map their data transfers and the corresponding transfer mechanisms;
- from 27 September 2021, any new international data transfer agreement incorporates the new SCCs;
- any alteration of an existing international data transfer agreement prior to 27 December 2022 needs to include replacing the former SCCs with the new SCCs;
- counterparties to existing international data transfer agreements are informed that the former SCCs will need to be replaced by the new SCCs no later than 27 December 2022;
- they collect the information necessary to complete any documentation, such as choosing the appropriate new SCCs module and relevant options within this module, etc.;
- they conduct and document a TIA for every international data transfer to ascertain that data importers can actually fulfil the obligations in the new SCCs; and
they familiarise themselves with their obligations under the new SCCs and set up procedures to ensure that these can be satisfied, including periodic compliance reviews.
GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR On May 25, 2018, the European Union introduced the General Data Protection Regulation (GDPR) to ensure maximum data protection privileges for people across the European Union....
Data in sports Data analytics in sports was first popularized by the efforts of Billy Beane during his reign as General manager of the Oaklands Athletics baseball team (also portrayed in the commercial film Moneyball). However, it’s a common practice now for...
Ring video doorbell : GDPR and Privacy - what homeowners need to know A recent case in the Oxford County Court highlighted the perils for homeowners of operating a Ring product to protect their properties. Ring products, such as smart doorbells and security...
The risks of over or under retention Organizations want to be conscious of the legal guidelines that pertain to their personal data processing. Personal data have to be kept lengthy adequate to comply with applicable legal responsibility. The minimum or maximum...
Article 27 – UK & EU Representative services The UK entered a period of transition which ended on 31st December, 2020, as the Brexit uncertainty ended with the passing of the withdrawal agreement bill. Data controllers or processors are under the obligation to...
Data is everywhere and smart companies know how to use customer data to their advantage. If you regularly harvest customer data to understand consumer patterns and for remarketing purposes, you must know about the rules and regulations that protect customers from...