As of September 27, 2021, companies relying on Standard Contractual Clauses (SCCs) to transfer personal data outside the European Union (EU) must use the new Standard Contractual Clauses (New SCCs) when signing data processing agreements. As a result, it is time to update template data processing agreements to ensure that your company can meet this deadline.

In practice, companies should consider:

  1. Carefully analyzing the New SCCs to assess how they can comply with the new requirements, selecting the appropriate module(s), and completing the relevant annexes.
  2. Updating existing template data processing agreements to ensure that any new contract concluded as of September 27, 2021, relies on the New SCCs.
  3. Completing a Data Transfer Impact Assessment(s) for any relevant transfer of EU personal data.
  4. Developing a plan to update existing agreements and replacing the old SCCs with the New SCCs by December 27, 2022.

Background

Companies exporting and importing EU personal data must comply with EU data transfer restrictions by implementing a data transfer mechanism to transfer personal data from the EU to a country that is not considered to provide an adequate level of protection. Most countries outside the EU, including the U.S., are not considered to provide such a level of protection under EU law.

Various mechanisms exist for the transfer of EU personal data. Following the Schrems II decision, which invalidated the EU-U.S. Privacy Shield, the most popular tool is the SCCs. Schrems II also created an obligation for companies to take measures to ensure that the SCCs are effectively complied with. More information on the Schrems II decision is available here. In interpreting this decision, the European Data Protection Board strongly recommended that companies conduct Data Transfer Impact Assessments (DTIAs), which are becoming widespread.

On June 4, 2021, to account for the General Data Protection Regulation (GDPR) and the Schrems II decision, the EU Commission issued New SCCs that became effective on June 27, 2021. More information on the New SCCs is available here.

The New SCCs provide for a transition period allowing companies to continue using the old SCCs. This transition period expires on September 27, 2021, meaning that as of that date, companies must use the New SCCs for data transfers when entering into new data processing agreements. Existing agreements that rely on the old SCCs must be updated by December 27, 2022. However, if the processing operations change before December 27, 2022 (e.g., new categories of data added, new parties added, etc.), companies must transition to the New SCCs at the time of the changes.

Our privacy and cybersecurity practice routinely advises on EU data transfers restrictions and can help you tackle the challenges raised by this fast-moving area. For more information, please contact Cédric BurtonJan DhontLydia ParnesChristopher Olsen, or another member of the firm’s privacy and cybersecurity practice.