Today, Monday, September 27, 2021, marks an auspicious threshold date for compliance with the European Union General Data Protection Regulation (“GDPR”) for companies who engage in activities requiring the transfer of personal data from the European Economic Area (“EEA”) to countries outside the EEA. As of today, any new Agreement that contemplates the transfer of personal data (as defined under the GDPR) from the EEA to a country outside the EEA under standard data protection clauses must utilize the new “Standard Contractual Clauses for the Transfer of Personal Data to Third Countries Pursuant to the GDPR” that were adopted by the European Commission in June of 2021 (the “new SCCs”). Further, any new processing activities that arise under an existing Agreement that incorporated the former SCCs must be amended to incorporate the new SCCs. And though not due today, existing contracts entered into prior to today’s date that utilized the former version of the Standard Contractual Clauses will need to be amended to incorporate the new SCCs by December 27, 2022.
The new SCCs replace the outdated former SCCs that were issued in 2010 and are intended as a response to the recent Schrems II decision by the Court of European Justice that invalidated the Privacy Shield as a compliant EEA-U.S. transfer mechanism in July of 2020.
The new SCCs incorporate Article 28 requirements for controller-to-processor and processor-to-processor transfers, which may eliminate the need for a separate Data Processing Agreement. However, companies will still want to conduct privacy impact assessments carefully to determine whether supplemental, non-contradictory measures need to be used to supplement agreements that incorporate the new SCCs, on a case by case basis, to ensure the level of data protection that applies to the specific processing activities aligns with the level required within the EEA. Companies are also on notice to ensure the new SCCs are implemented throughout their supply chain for any new contracts or new processing activities unless a separate GDPR-compliant mechanism applies.
The GDPR poses considerable compliance obligations and the new SCCs add to the mix. Michael Best’s privacy team is available to assess how these obligations may impact your company and are well-positioned to assist you in navigating all your compliance challenges.