On 7 October 2021, the UK`s Information Commissioner`s Office (ICO) launched a consultation on a new international data transfer agreement and guidelines to replace EU CTCs. The consultation includes an assessment and tool for international transfer risks, as well as a UK addendum on EU CBAs. The ICO has not approved the CLAs, and therefore companies wishing to transfer data from the UK to third countries will have to continue to use the old CLCs for the time being. The new clauses are „particularly important for U.S. companies, as the other popular option, known as the U.S.-EU Privacy Shield Framework, was declared invalid by the Court of Justice of the EU in July 2020,” Francis said. Standard Contractual Clauses (SCCs) are an important means of ensuring the legal and secure transfer of personal data from the European Economic Area (EEA) to „third countries” (non-EEA countries). All new contracts must use the new standard contractual clauses after September. 21, 2021. If, after this period, employers with employees in the EU provide data without adequate legal protection, they could face fines or legal proceedings. They suggest that exporters apply strong encryption to personal data and include additional contractual clauses that require the importer not to share the data with the U.S. government. Of course, there is no right or wrong answer to the approach to take, it largely depends on the data you are transferring, the purpose of the transfer, when and where you transfer the data and how you do it, and consider this as part of your contracts, projects and plans for the next 18 months.
You will also need to consider where you have arrived in your Schrems ii remediation in the last 11 months – you may have just completed 30 different transfer risk assessments supported by former CLAs and related complementary measures. So you may not be in the mood to watch the new CCS for a while. We also look forward to the European Data Protection Board (EDPS) finalising its recommendations 01/2020 on measures complementary to the transfer instruments to ensure compliance with the EU level of protection of personal data following the plenary session of the EUROPEAN COMMITTEE on 18 June 2021. Therefore, these surveillance laws could be a problem if you want to use CLCs to transfer personal data to certain U.S. companies. You need to consider whether you can apply additional safeguards to your restricted transmissions to protect against government interference. These will replace the old 2010 Standard Contractual Clauses. The new clauses reflect changes implemented with the eu`s new data protection law, the General Data Protection Regulation (GDPR) of 2018. The GDPR restricts the types of personal data that can be legally transferred. However, if, at any time before the September date, old (existing) CTs have been set up, you can still rely on these old CBAs for a further 15 months, i.e.
until 27 December 2022, provided that the „processing operations covered by the contract” do not change and that „the use of these clauses ensures that the transfer of personal data is subject to appropriate safeguards”. For data importers who are subcontractors, as modules two and three also include the mandatory clauses of the GDPR, they are likely to be used only for transfers outside the EU to data processors (whereas previously the former CTCs were usually attached to a separate data processing agreement („DPA”) that included the mandatory clauses of the GDPR). Modules two and three can reduce or even eliminate the need for a separate DPA, but it is important to note that, as the SET One SCCs remain valid, the Set Two SCCs cannot be changed and any terms of a current DPA you have will be overwritten by the CCS in the event of a conflict. If your company is a subcontractor outside the EU, we recommend that you review and compare the DPAs you currently have with relevant third parties to understand your future obligations – especially as these new CBAs may become the new market standard. You can also extend new CTCs to meet the specific needs of your business, which is possible as long as these additions do not contradict or divert the attention of THE CTCs in written form. Standard contractual clauses for data transfers between EU and third countries. 6. It`s clear that even from this list, you need to consider time, budget, and resources to make the necessary changes at a time that`s convenient for your business. The Schrems II case was a central challenge to the validity of the CCTs.
The CJEU concluded that CCAs remain a valid safeguard when making restricted transfers of personal data. Identify the old CTCs to which you may be a signatory, identify the roles of the parties they contain (i.e. controller or subcontractor), and begin informing the appropriate third parties of the need to run the appropriate module of the new CTCs. Adequacy decision: The beneficiary company is located in a country whose data protection standards have been classified as „adequate” by the European Commission. At the time of writing, these are countries: If you are planning a limited transfer, you need to create a contract between the two parties who receive and send the data and insert the CTCs into the contract. 4. If you are located outside the EEA, it may be advisable to carry out an analysis of local laws in order to facilitate compliance with clauses 14 and 15 of the new COLLECTIVE AGREEMENT (where schrems ii provisions are located). Such an approach makes it easier for an EEA data exporter to sign on the dotted line, knowing that schrems ii issues have been solved and resolved. You should familiarize yourself with footnote 12 to clause 14, as it provides additional guidance on factors that could be considered in the context of conformity assessment, e.B.
previous cases of requests for disclosure from public authorities or the absence of such requests covering a sufficiently long period to make them representative. It will be interesting to see how this fits into the final recommendation of the European Data Protection Board, as the project seemed to imply that this information would not be taken into account. Hopefully, we will have more clarity on this in the coming weeks when the final version is released. 1. Familiarize yourself with the new CLAs and understand where the risk to your business lies. You will also need to think about some of the practical considerations, policies and processes that you have or need to enable data subjects to effectively exercise their rights (clause 10), for example. How will you meet the new transparency requirements (paragraph 8)? Will you use the docking clause (Article 7)? If so, what process will you use to do this? All those who join the new CCAs must complete the Schedule and sign Part A of Schedule I, where and how will you store this information to do so? Put it into practice. During this grace period, companies relying on old CBAs for transborder data transfers should start taking stock of existing agreements and prepare for the implementation of new cross-border CCSs. Although these new CBAs have been designed to largely meet the requirements of Schrems II, companies still need to assess whether cross-border CCS alone are sufficient or whether further measures are needed. For data importers in particular, this may include the preparation of a transparency report and transfer impact assessments.
For intra-EU transfers between controllers and processors, companies can rely on these new CTCs to comply with GDPR obligations. The new standard contractual clauses require companies to provide employees with more information about data transfers than before under the GDPR. „Multinational employers with employees in the EU may need to review and redistribute the data processing notices they have previously provided to employees,” Gordon confirmed. Strengthening the rights of data subjects: Data subjects may enforce several provisions of the new CLAs against the data exporter and importer. Under the former CLAs, data subjects could only enforce third-party beneficiary clauses against the importer or sub-processor if the data exporter and, in the case of a sub-processor, the data importer had effectively disappeared or no longer legally existed. Starting this fall, companies that transfer personal data from the European Economic Area (EEA) are likely to experience a flood of contract renegotiations. On 4 June 2021, the European Commission adopted new long-awaited Standard Contractual Clauses (SCAs) for transfers from the EEA. SCAs have been one of the most popular ways for companies to transfer personal data from the EEA to third countries whose data protection laws were not deemed „adequate” (such as the United States). .