Update Standard Contractual Clauses for international personal data transfers
24/12/2021

Still thinking about your New Year’s resolution? Pursuant to the European Commission Implementing Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (outside the EEA) pursuant to GDPR, companies have until 27 December 2022 to replace their current sets of SCCs.

Two important deadlines

One important deadline has already passed. Since 27 September 2021, companies subjected to GDPR that are transferring personal data outside the EEA are obliged to use the “new sets of SCCs” published by the European Commission in June 2021 for (i) all new data transfer agreements, and (ii) all amendments to existing data transfer agreements. Today, the “old SCCs” can thus no longer be used.

The second important deadline is set at 27 December 2022. This means that companies have, as from today, more or less 12 months to replace their existing contracts involving the transfer of personal data to recipients outside the EEA.

Main characteristics of the new SCCs

The new sets of SCCs published by the European Commission:

  • Do not only contain controller-to-controller provisions or controller-to-processor provisions, but 4 different “modules”, including modules for use by data processors wishing to transfer personal data to a subprocessor or to a data controller outside the EEA;
  • Bring the wording and content of SCCs in line with GDPR;
  • Incorporate, in the relevant modules, Article 28 GDPR requirements (meaning that no separate data processing agreement is needed for controller-to-processor or processor-to-subprocessor transfers);
  • Reinforce data subject rights (e.g. by including express third-party beneficiary rights);
  • Allow additional parties to sign-up to already executed SCCs by means of a “docking clause”;
  • Contain, for each of the relevant modules, additional rules regarding “onward transfers” of personal data by the “data importer”; and
  • Incorporate wording in the context of the aftermath of the “Schrems II” judgement of the Court of Justice of the EU, referring (among other things) to the execution of data transfer impact assessments by the “data exporter”, with the necessary assistance to be provided by the “data importer” (allowing the parties to take the industry practices, the practical experience of data importer and relevant case law into account when performing such assessment).

Mark your ‘to do list’ for 2022

Mapping and replacing your company’s international data transfer agreements, which are most likely still based on the “old SCCs”, may not be an easy task.

We therefore recommend implementing a step-by-step approach, starting with the creation of an up-to-date inventory of the international data transfers undertaken by your company and the transfer tool (SCCs or other) relied upon for this purpose. Note in this context that, for some countries, like Japan, the UK or South-Korea, SCCs may no longer be required following the adoption of adequacy decisions.

As a next step, consider the relevant “modules” and optional clauses of the new SCCs (e.g. the docking clause) and start gathering the factual information required to complete the various schedules to the SCCs. Likely, when examining your “old SCCs”, this information will no longer be up to date.

Finally, start preparing your data transfer impact assessments and reach out to your “data importer” to gather and examine the legal and factual information required to complete such assessment.

This final step may however require some time to be completed, especially where additional data transfer safeguards need to be implemented and discussions with your “data importer” may not always run smoothly. Noting that the performance of a transfer impact assessment is in fact already an (often neglected) obligation today (regardless of your transfer to the new SCCs), don’t postpone this exercise and keep your New Year’s resolution.

We remain of course available to assist with any further question you may have on this topic.

Voir aussi : Loyens & Loeff CVBA ( Mrs. St√©phanie De Smedt ,  Mr. Dorien Surinx ,  Mr. Hugo Nieuwenhuyse )

[+ http://www.loyensloeff.com]

Mrs. Stéphanie De Smedt Mrs. Stéphanie De Smedt
Counsel - Attorney at law
[email protected]
Mr. Dorien Surinx Mr. Dorien Surinx
Associate - Attorney at Law
[email protected]
Mr. Hugo Nieuwenhuyse Mr. Hugo Nieuwenhuyse
Associate
[email protected]

Click here to see the ad(s)

Derniers articles de Mrs. Stéphanie De Smedt

Belgian DPA holds that IAB’s consent framework infringes GDPR
15/02/2022

In a decision of 2 February 2022, the Belgian Data Protection Authority (the “BDPA”) considers that the Transp...

Read more

EDPB publishes guidelines on interplay territorial scope GDPR and international transfers
02/12/2021

On 18 November 2021, the European Data Protection Board (the “EDPB”) published guidelines on the interplay bet...

Read more

Processing of personal data on eID card for customer loyalty cards
20/10/2021

Annulling a judgement of the Markets Court, the Belgian Supreme Court examined the case relating to the processing of pers...

Read more

Last-minute Brexit deal extends free flow of personal data to UK with 6 months
31/12/2020

On 24 December 2020, the EU and the UK reached an agreement over some essential Brexit modalities, including the exchange ...

Read more

Derniers articles de Mr. Dorien Surinx

Belgian DPA holds that IAB’s consent framework infringes GDPR
15/02/2022

In a decision of 2 February 2022, the Belgian Data Protection Authority (the “BDPA”) considers that the Transp...

Read more

EDPB publishes guidelines on interplay territorial scope GDPR and international transfers
02/12/2021

On 18 November 2021, the European Data Protection Board (the “EDPB”) published guidelines on the interplay bet...

Read more

Processing of personal data on eID card for customer loyalty cards
20/10/2021

Annulling a judgement of the Markets Court, the Belgian Supreme Court examined the case relating to the processing of pers...

Read more

Derniers articles de Mr. Hugo Nieuwenhuyse

Belgian DPA holds that IAB’s consent framework infringes GDPR
15/02/2022

In a decision of 2 February 2022, the Belgian Data Protection Authority (the “BDPA”) considers that the Transp...

Read more

LexGO Network