EU data protection directives bring good news for UK suppliers
Kathryn Wynn and Rosie Nance of Pinsent Masons were commenting after the Commission released a new Standard Contractual Clauses (SCC) Q&A document (24 page / 435 KB PDF).
CSCs are one of the legal tools the Commission has developed to help businesses meet their obligations under the EU General Data Protection Regulation (GDPR) when transferring personal data to outside the European Economic Area (EEA). SCCs can be inserted into commercial contracts to govern how those importing personal data from the EU handle and protect that data, although the Commission has confirmed that companies cannot change these clauses without the approval of the version amended by a national data protection authority.
Last year, the Commission published revised SCCs to replace those it had previously adopted in 2004 and 2010. The updated SCCs are designed to reflect changes to data protection legislation implemented by the GDPR in 2018 and the concerns raised by the Court of Justice of the EU in the so-called “Schrems II” judgment.
Companies will no longer be able to rely on CSCs from 2004 or 2010 to transfer data to third countries from 27 December this year. The Commission took the opportunity to reiterate this deadline for the remediation of old contracts in its question and answer document.
Kathryn Wynn said there was a welcome clarification in the guidance on a point of uncertainty that has arisen in relation to data transfers involving UK-based providers since Brexit.
“Data transfer agreements have become more complex since Brexit. Some UK group companies have established a substantial presence in EU countries, such as Ireland. We are familiar with the scenarios where data flows from an Irish controller to a UK group company providing shared services to a UK supplier and then back to a processor based outside the UK or EEA. Companies involved in these deals have been keen to know which parties should enter SCCs and which data protection regime – EU GDPR or UK GDPR – applies,” she said. .
“Previously, under the 2010 SCCs, only a controller could be the data exporter, as only the controller had data export obligations under pre-GDPR legislation. In our scenario, this would have meant that the Irish controller would be responsible for entering into the SCCs with the non-UK or EEA subcontractor. However, given that the 2021 version of the CSCs has a modernized and modular approach, the Commission has now confirmed that the processor is considered in our scenario to be the data exporter and therefore the party that concludes the CSCs with the no -UK or EEA contractor,” Wynn said.