Recent developments such as the invalidation of the EU-U.S. Privacy Shield framework under the Schrems 2.0 decision and Brexit will have a significant impact on how businesses transfer their data internationally.

Recap: For more information see our previous webinars:

What safeguards are there for international data transfers?

Safeguards are often needed for international personal data transfers, depending on the locations involved, here are the most common ones:

  • Medium to large companies:
    • BCRs controller and processor which address processing internally and with customers ( see slides 16 and 17)
    • Hybrid DTA, and
    • SCC+ (including transfer risk assessments)
  • Smaller companies:
    • Hybrid DTA, and
    • SCC+ (including transfer risk assessments)

What do the new SCCs for international transfers and guidance say?

  • For the UK use the existing versions until the UK ICO approves the new versions or produces new UK SCCs
  • You can continue using the existing ones until 27 September 2021 after which you will need to use the new versions for new contracts or changes. By 27 December 2022 all contracts must be updated.
  • They attempt to fix problems with the existing versions and cover many Schrems 2.0 risks. They are intended to be more commercially relevant, catering for multiple parties
  • There are now modular to cover combinations of four scenarios (see below)
  • They are suitable for data exporters not located within the EU/EEA but caught by the GDPR terms
  • There is a need to understand the full chain of processing (from the ultimate controller to the last sub-processor)
  • Guidance from the EU has further clarified the wider "SCC+" assessment exercise requiring vigilance, legal advice, monitoring and action
  • The parties give warranties that they have no reason to believe that local laws and practices in the data importer's country prevent compliance, and that the data exporter has assessed the data importer's ability to comply

How do you create a contract from the SCCs?

  • The SCCs have standard clauses that apply in all scenarios (SCCs have priority over other contracts, the terms of which should not contradict them), eg:
    • List of parties, description of transfer, technical and organisational measures and list of sub-processors
    • Enforcement of rights by data subjects and dealing with complaints
    • Liability, indemnity, identifying the competent supervisory authority and jurisdiction
    • Dealing with law enforcement requests and local law conflicts
    • The process if the data importer becomes unable to comply
    • Both parties must consider security, including during transmission
  • There are also optional clauses in the SCCs, eg:
    • A 'docking clause': new parties can be added later
    • Various modules for the four scenarios (see below):
      • Controller-to-controller
      • Controller-to-processor
      • Processor-to-processor, and
      • Processor-to-controller
    • Minor aspects of some modules eg such as approval of sub-processors

What does the controller-to-controller module say (module 1)?

  • Data importer:
    • Limited purposes
    • Provide certain privacy information to data subjects
    • Obligation to action rectification and erasure and deal with other data subjects' rights
    • Data minimisation and storage limitation
    • Without undue delay notify any breach to data exporter and competent supervisory authority if breach likely to create a risk to data subjects and if there is a high risk also notify data subjects
    • Ensure onward transfers have safeguards and on its instructions
    • Restrictions on special category data
  • Both:
    • Security obligations and agreed details to be included

What does the controller-to-processor module say (module 2)?

  • Data importer:
    • Typical GDPR controller to processor clauses
    • Follow data exporter's instructions including for onward transfers and notify if cannot
    • May have to demonstrate compliance to competent supervisory authorities
  • Data exporter:
    • To exclusively control key for pseudonymized data

What does the processor-to-processor (ie sub-processor) module say (module 3)?

  • Data importer:
    • Process on documented instructions from controller and additional instructions from data exporter which must not conflict
    • Notify data exporter if cannot comply
    • Notify data exporter and where appropriate and feasible the controller of breach and data subjects' rights
    • Only disclose to a third party on documented instructions from the controller
    • Demonstrate compliance to data exporter, controller and competent supervisory authority
    • Restrictions on special category data
    • Audits from data exporter and controller
    • Typical GDPR controller to processor clauses flowed down
    • Restrictions on sub-processing
  • Data exporter:
    • Inform data importer that it acts as processor under instructions of controller which will be provided prior to processing
    • Inform controller if data importer cannot follow controller's instructions
    • Exclusively control key for pseudonymised data (or the controller)
    • Impose same obligations on importer as controller has imposed on it

What does the processor-to-controller module say (module 4)?

  • Data importer:
    • Refrain from any action that prevents data exporter from complying with GDPR
  • Data exporter:
    • Only process on documented instructions of data importer acting as its controller
    • Notify data importer if cannot follow data importer controller's instructions
    • Extra obligations if it combines the personal data received from the data importer with personal data collected by the data exporter in the EU especially regarding access by public authorities
  • Both:
    • Cooperation to respond to the exercising of data subjects' rights

What do you need to do pre-transfer when using the new SCCs?

  • Understand the obligations within the SCCs you are signing and the wider (EDPB) guidance
  • Know your transfers:
    • by reference to Record of Processing Activities (RoPA)
    • map out your locations
    • what is a transfer? includes remote access from a third country (eg support), and/or cloud storage outside EEA
    • remember onward transfers by others of the data entrusted to them. i.e. all actors in the chain
  • Keep in mind data minimisation
  • Data exporter to assess the third country protections & if data importer can satisfy its obligations:
    • must be documented. Might need to produce to the competent data protection authority
    • are supplementary clauses / safeguards needed
  • If the GDPR level of protection is undermined, or the supplementary measures are prohibited or contradict the SCCs, you should not start, or suspend, and consult
  • Re-evaluate at regular intervals

Transfer Risk Assessments - factors to be considered from the SCCs and EDPB guidance:

  • must be documented
  • laws of the locations involved
  • nature and purposes of the transfer (marketing, HR, IT support, storage and Sector in which the transfer occurs (health, financial) and categories of personal data
  • any processors or sub-processors involved
  • types of entities involved in the processing (public/private, controller/processor)
  • whether the data will be stored in the third country or if there is only remote access
  • format of the data to be transferred (pseudonymised, encrypted)
  • possibility of onward transfers
  • if data subject rights can continue to be effectively applied
  • If a right of redress for data subjects in case of access to their data by public authorities in the third country
  • effective limits on surveillance requests and publicity about the location

What supplemental measures should you consider?

  • technical measures, such as proper and effective encryption, pseudonymisation and split or multi-party processing
  • contractual measures, such as specifying the technical measures needed, reinforced audit clauses etc
  • organisational measures, such as internal policies, methods and best practices; records of surveillance requests and data minimisation

After transferring what are your ongoing obligations?

  • Understand what you have signed
  • Monitor ongoing developments in the third country/your location
  • Keep track of changing instructions in the services
  • Storage limitation- keep track of contract durations, retention periods, obligations to return or delete
  • Be aware of restrictions and confidentiality obligations for employee access
  • Third party sharing may be prohibited, or if not keeping track of sub-processors will be needed and contracts to be disclosed
  • Data importer has certain duties to notify not just the data exporter but the ultimate controller and competent supervisory authority
  • Keep track of data protection authority assessments of risky locations

What should you be doing now?

  • By 27 September 2021:
    • Understand your data flows and locations involved
    • Assess what safeguards are needed, urgently if that was previously the Privacy Shield or after 30 June 2021 Brexit if the UK is not deemed adequate. BCRs? SCCs?
    • Watch UK position
    • For all new non UK international transfers needing SCCs or for changes to such existing contracts and data flows undertake SCC+ assessment so as to comply by deadline. New clauses needed after that date
  • By 27 December 2022 all existing SCC contracts will need redoing using SCC+
  • What is SCC+?:
    • Create your modular SCC contract choices applicable to each flow
    • Undertake your transfer risk assessments
    • Implement any supplementary measures (such as contract terms, technical and organisational measures) for risky locations
    • Understand your obligations in the new SCCs
    • Due diligence with commercial partners
    • Watch out for warnings about other countries being unsafe
  • Ensure you're not just undertaking paper compliance: amendments to policies and privacy notices will be needed

Shoosmiths support

  • Automated Privacy Compliance digital tools
    • In partnership with OneTrust
    • Modular including data mapping
    • Significant discounts available
    • 90 day free trial
  • SCC+
    • Our tried and trusted model including making up the contracts, and all risk assessments
  • UK and EU Representatives

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.