Considerations for updating standard contractual clauses | Morgan Lewis – Technology and Procurement
On June 4, 2021, the European Commission adopted its long-awaited updated Standard Contractual Clauses (new CCNs) for organizations transferring personal data outside the European Economic Area (EEA) to third countries which do not offer adequate protections with regard to personal data. For more information, read our LawFlash from June 10, Adoption of new European standard contractual clauses for international data transfers.
In this article, we take a look at some of the things organizations will need to consider when updating their current Standard Contractual Clauses (PCCs).
The use of the New CCPs is compulsory for contracts concluded after September 27, 2021. For contracts concluded before this date, the use of the old standard contractual clauses (Old CCPs) remains authorized, subject to the obligation to put implementing additional measures in accordance with the Schrems II judgment.
All old SCCs must be updated to the new SCCs by December 27, 2022.
Organizations currently negotiating contracts that will close before September 27, 2021 that require SCCs will need to decide whether to use the new SCCs in their contract or use the old SCCs with the understanding that they will need to be updated afterwards. to the New CSCs by December 27, 2022.
The above deadlines may seem generous; however, organizations with a significant number of contracts with CSCs may have a lot of work to do to ensure they are compliant by the December 27, 2022 deadline.
Organizations should undertake a full audit of their contracts under which there are international transfers of personal data to assess the necessary actions. The elements to take into account are the following:
- Do such contracts currently have CCSs in place? If not, are they compulsory?
- What type (s) of transfer are undertaken? (See Modules section below.)
- Is personal data subject to the UK General Data Protection Regulation (GDPR), EU GDPR, or both?
- Are Schrems II additional measures being implemented?
Once the organization understands its current position on NCCs, it should formulate a roadmap for meeting the deadline.
Early engagement with contractual counterparties is encouraged, as is a proactive approach (whether the organization is a controller or a processor). Starting the review and update process as soon as possible will provide the best chance of achieving compliance on time.
The new SCCs are divided into modules that deal with four types of transfer:
- Controller to Controller
- Processor controller
- Processor to processor
- Processor to controller
As part of the contract audit mentioned above, organizations should consider what type (s) of transfers occur under their contracts and adopt the appropriate module (s) to ensure compliance.
The new CSCs impose a number of substantive obligations on the parties. In addition to undertaking a contract audit to ensure contractual compliance, organizations should ensure that they fully review the requirements of new CCNs and the obligations they impose, to ensure that the necessary processes and procedures are in place to comply with these obligations. .
Schrems II Additional measures
Although the new SCCs are designed to work with Schrems II judgment, organizations will still need to assess whether additional additional measures are needed in order to provide adequate protections for the privacy rights of individuals whose personal data is transferred in accordance with the new CPS. Please see the Schrems II section in our June 10 LawFlash for more details.
The UK government has yet to publish its own SCCs or confirm that the use of the new SCCs is permitted under UK GDPR. An update is expected at some point in 2021, which will hopefully bring clarity. As such, the old SCCs will still need to be used for transfers of personal data subject to UK GDPR from the UK to a third country, as well as Schrems II additional measures.
Unfortunately, this will leave many organizations that process personal data subject to both EU GDPR and UK GDPR in a position where they will have to use both old and new SCCs.
CSCs are currently not required for the transfer of personal data between the EEA and the UK following the European Commission adequacy decision of June 28, 2021. For more information see our LawFlash of June 29 , UK Adequacy Decision for European Data Transfers.