GDPR Update – Step 3: Time to Update your Standard Contractual Clauses!

Welcome back to the Carney Law Privacy team’s blog on all things privacy-related.  This post follows up on the steps needed to update Standard Contractual Clauses.  As you have likely heard, in response to the Schrems II decision invalidating the Privacy Shield and to reflect Europe’s General Data Protection Regulation (GDPR), on June 4, 2021, the European Commission released the updated Standard Contractual Clauses (SCCs).   As a reminder, the SCCs (old and new) are the mechanism permitting the transfer of personal data about data subjects located in the EU to entities located in most countries outside the EU. 

How are the new SCCs different from the old ones? 

The new SCCs are more flexible than the old versions, better reflecting the realities of how companies process data in today’s world.  For one, they come in four modular versions: 

  • Controller-to-controller 
  • Controller-to-processor 
  • Processor-to-controller  
  • Processor-to-processor 

The idea is that companies assess which of the four scenarios above applies to their transaction and implement the appropriate module into their definitive agreement or addendum, as needed.   

Second, the new SCCs are not as rigid as the last versions, which companies were not permitted to adjust in any other ways to reflect the unique arrangement.  For example, companies can now include the relevant clauses of the SCCs directly into a definitive agreement, rather than execute them separately, and supplement them with additional terms that do not contradict the requisite clauses or infringe upon data subjects’ rights.  They are also deemed to meet the requirements of GDPR so that there is no need for a separate DPA with additional or supplementary terms.

How and when should you update your SCCs? 

If you currently have your SCCs cross-referenced in a Data Processing Agreement (DPA), consider updating the reference in the DPA to reflect the new SCCs.  This will include specifying who the data exporter and data importer are, and which of the above-referenced modules will apply.  You may also choose to specify whether some of the optional clauses in the new SCCs should apply.  These include specifying whether third parties can “join” the SCCs via a new docking clause, whether certain types of “onward transfers” are permitted (including to subcontractors), and whether the parties choose to use an independent dispute resolution body, among other things.  You will also need to specify what law applies and in what jurisdiction disputes will be resolved.  Finally, as was the case with the old SCCs, you are required to include details about the importer and exporter and must describe the processing activity taking place.  Unlike the old SCCs, the new versions require the data importer (i.e., the entity in the US) to include in as much detail as possible a description of the technical and organizational measures implemented to ensure an appropriate level of security.   

If you do not have a form DPA or are relying on a form of DPA that is now outdated, consider swapping out the DPA in its entirety with the new standard contractual clauses, or, for certain types of transactions, consider folding the SCCs directly into your definitive transaction agreement.   

If you are entering into a new contract that involves the type of transfer discussed in this blog, you should be using the new SCCs as of September 27, 2021.  If your contract is already in place and relies upon the old SCCs, then you have until December 27, 2022, to replace those with the new SCCs.  This leaves you plenty of time to create a plan, review existing contracts and determine what needs to be updated between now then. 

Which module should you pick?   

Which of the four above modules you pick will depend upon whether you are the exporter (the entity sending data outside the EU) or the importer (the entity receiving the data from the EU).  Most importantly, do you control the nature and means of the processing of information?  Meaning, do you decide what to do with it, how to access and store it, with whom to share it, and how long you hold on to it?  If so, you are likely the controller of the information.   

Alternatively, are you acting upon the directions of your contractual partner and only using the information as needed to perform your commitments under the contract?  If so, you are likely the processor.  This can be a complicated exercise and can also depend heavily on the context of the processing, meaning that your entity might be a controller for certain purposes and a processor for others.  It is never a bad idea to consult with legal counsel if you are not sure. 

What else should you be thinking about? 

Don’t forget the impact the updated SCCs may have on your internal infrastructure.  For example, if you currently use subcontractors or other service providers to process personal data, then you will also need to update your agreements with them to ensure you are adequately meeting your obligations in the new SCCs.  You may also be required to disclose their names in the new SCCs. 

In some cases, the new SCCs may not be the most appropriate or best approach to the transfer at hand.  In these cases, an alternative transfer mechanism might be preferable, such as binding corporate rules or reliance on one of the derogations available under article 49 of the GDPR (i.e., explicit consent).

A final word on data transfer impact assessments  

One of the issues in the Schrems II case was the conflict between individual privacy and a foreign government’s ability to step in and access the personal data being transferred. The new standard contractual clauses include a risk-based method for assessing the likelihood of a government requesting or demanding access to this kind of data, with the idea being that if the risk of foreign government access is too great, the transfer may not occur.  As part of this exercise, companies are documenting their risk analysis in Transfer Impact Assessments (TIAs).  In our next post, we will take a closer look at these TIAs and provide you with some key takeaways, including whether you need one and what it should include. 

As always, if you have any questions about the new SCCs, how to update your DPA or other agreements, or other privacy-related questions, please reach out to our privacy team!  We routinely help clients make sense of these challenges and are happy to help you strategize best practices for your business model.   


About Carney Badley Spellman, P.S.

Carney Badley Spellman is about Advocacy, Strategy, Results. Located in Seattle, we are a full-service law firm committed to exceptional client service and professional excellence. Our firm serves individuals and businesses of all types and sizes. Also, our attorneys work with closely-held companies to Fortune 500 corporations in the Pacific Northwest and across the United States. Although Carney Badley Spellman‘s location is in Seattle, Washington, we are proud to be a part of the Washington state community and communities across the nation.

For more articles like this please visit our websites: Privacy Blog, The Startup Law Blog, and Carney Law.