December 14, 2022
Is your Company currently transferring personal data to third countries, meaning- countries outside the European Economic Area (EEA) or the European Union (EU), Swiss or the UK? Are you still relying on the old DPAs signed which refer to the outdated Standard Contractual Clauses (“SCC”)? Do you have any reference in your DPA to the UK SCC or the Swiss SCC?
If not, you should take action immediately, because the grace period provided by the EU Commission is ending on the 27th December 2022 (exactly 2 weeks from today).
A reminder: Standard Contractual Clauses are contract frameworks adopted by the EU Commission and adopted by the UK ICO and the Swiss DPA. When transferring personal data to countries without an adequacy decision and without an exemption under Art. 49 GDPR, SCCs must be aligned between the data exporter and the data importer. The contractual obligation and further technical and organisational measures are intended to ensure an adequate level of data protection. This also applies to data transfers within corporate groups. On 16 July 2020, the European Court of Justice declared the EU/US Privacy Shield invalid (also known as the “Schrems II Decision”), following the Schrems II Decision, the European Commission published a new version and modules Standard Contractual Clauses (EU 2021/914), which are binding for the conclusion of new contracts as of 27 September 2021. However, “old SCCs” initially retained their validity until 27 December 2022, as a grace period. From December 27, 2022 all DPAs need to include the new SCCs, retroactively as well.
Specifically regarding data transfer to the US, a new adequacy decision by the EU Commission could make the conclusion of the new SCC redundant. However, there are currently no indications that such decision will be published before 27th December 2022. Even though, just the other day (on December 13, 2022) the EU Commission initiated the formal process for adopting the adequacy decision on EU-US Data Privacy Framework, due to the Executive Order recently signed by Biden on EU-US data privacy agreement, this is solely the first step, and if it all goes well the framework will take at least 6 months to be approved. Meaning, the new SCC will still need to apply during this time.
Our expert team is happy to help with needed implementations and revisions.
APM Technology and Regulations.