The new deadline for standard contractual clauses is approaching | Cozen O’Connor
On June 4, 2021, the European Commission introduced the new set of Standard Contractual Clauses (“SCCs”), a primary mechanism for lawfully transferring personal data from Europe to the United States under the General Data Protection Regulation. European Union data. These new SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. For entities having entered into a transfer agreement on the basis of the previous CCPs before September 27, 2021, a transition period has been granted until December 27, 2022 to switch to the new CCPs, provided that the processing operations subject to the CCP contract remains unchanged. Thus, all new and existing contracts must be transferred to the new SCCs by December 27, 2022. Below is an overview of the main updates of the new SCCs and recommendations to ensure compliance before the deadline of the December 27, 2022.
Important updates for the new SCCS
The new SCCs are divided into four modules to address four different cross-border transfer scenarios: (i) Module One: controller to controller; (ii) Module 2: from controller to processor; (iii) Module three: processor to processor; and (iv) Module 4: Processor to Controller. This is different from previous SCCs, which only considered cross-border transfer scenarios involving two controllers, and one controller to one processor. Under the new SCCs, parties can tailor the clauses to their specific transfer scenario, reflecting the complexity of modern processing chains.
Assessment of the impact of the transfer
The new CSCs require parties to all clusters to conduct and record a transfer impact assessment. When entering into new SCCs, parties must warrant that they have no reason to believe that the laws and practices applicable to the data importer do not comply with the requirements of the new SCCs. When assessing the impact of the transfer, the parties must also take into account the circumstances of the proposed transfer, define the parameters of the transfer (i.e. the length of the processing chain), define the guarantees put implement and assess the risk posed by the laws and practices of the third country of destination.
While previous SCCs did not allow other parties to join directly, the new SCCs contain a clause that allows additional data exporters or importers to join the new SCCs throughout the life of the contract. The acceding party will have the rights and obligations arising from the new CPCs from the moment they enter into the new CPCs.
In addition to using the new CSCs in all future contracts involving transfers of data from the European Union, entities should develop strategies to prioritize and update existing contracts that involve transfers of personal data from Europe. to the United States. Entities should determine if new CSCs are needed. for cross-border transfer scenarios involving processor to controller or processor to processor, as previous SCCs were not required for these scenarios. It is essential that entities identify all existing contracts that will need to be amended to include the new SCCs by the December 27, 2022 deadline.