UK and EU data privacy law (and indeed many other privacy laws outside EMEA aswell) restrict transfers of personal data outside the UK or EU unless an exemption applies which is narrowly defined. One of these exemptions is reliance on standard data protection clauses adopted by the EU Commission, commonly known as the standard contractual clauses ("SCCs"). On 4 June 2021 the EU published an updated version of the SCCs (the "New EU SCCs") which are modular in their approach and require much more work to put in place than the SCCs aswell as greater privacy compliance by both parties. Currently, the SCCs can continue to be relied upon until 27 December 2022 ("the Deadline"); provided that (i) the contract was concluded before 27 September 2021 and (ii) the processing activities and categories of data under the contract remains unchanged

All the above affects any organisation who on behalf of its customers transfers personal data outside the UK and EU or uses any vendors to do so, and failure to update to the New EU SCCs (or at least have a plan to in place to do so) will render such data transfers void and contract unenforceable aswell as liable for a fine of up to 4% of global worldwide turnover for failure to comply with the requirements of the New EU SCCs by the Deadline. Organisations can expect its customers and regulators to assess their level of compliance and for evidence of such compliance to be provided promptly.

In summary the key changes include:

  1. Schrems II

Following the Schrems II decision in July 2020, the 2010 model clauses were ruled as no longer adequate where personal data is transferred from the European Economic Area ("EEA") to a third country.

  1. EU Standard Contractual Clauses / Model Clauses

In June 2021, new EU Model Clauses ("EU SCCs") were introduced by the European Commission including four different templates, and the requirement for organisations to undertake a Transfer Risk Assessment ("TRA") was introduced.

  1. UK Standard Contractual Clauses / Model Clauses

In March 2022, the UK Model Clauses ("UK SCCs") were introduced by the ICO, by virtue of the UK Addendum and International Data Transfer Agreement ("IDTA").

Consequently, organisations are now required to ensure that existing and new contracts have appropriate SCCs in place, in accordance with the following timeline:

1250742a.jpg

Many international organisations caught by both the EU and UK GDPR are repapering all contracts involving the transfer of data, in accordance with the deadline of 27 December 2022, to avoid undergoing the repapering exercise twice.

To comply you must act now by undertaking the following activity:

  1. Understand your data flows and keep your RoPA updated.
  1. Send your Schrems questionnaires to your vendors as you will certainly receive them from your customers (if you have not already)-due diligence on vendors will be important.
  1. Begin or continue a detailed review of all contractual relationships involving international transfers as any contracts relying on the SCCs will need to be updated to include the New EU SCCs by the Deadline (or earlier if the processing in question has changed).
  1. Focus on priority vendor relationships first and find the contracts aswell as any master agreements and flow down agreements for each relationship.
  1. Decide on repapering approach for each relationship and agree strategy with the business.
  1. Prepare to respond to data subject requests to receive a copy of New EU SCCs and consider whether it is appropriate to update your privacy notices that provide information relating to the same.
  1. Ensure that with any external privacy policies or notices which refer to data transfers (all will or should do) you are complying with those notices eg, no point in saying you have entered into New EU SCCs if you have not as you will be found out.
  1. Start undertaking your Transfer Risk Assessments internally as these may need to be shown to your customers and/or regulators.
  1. Ensure template agreements do not conflict with liability provisions in New EU SCCs.
  1. Ensure any new potential procurements have all the above factors in mind.
  1. If you have BCR's ensure you put in place a BCR processor contract with your customers as this will better protect you and speed up negotiations.
  1. Put in place playbooks as that will speed up negotiations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.