Your World of Legal Intelligence
 United Kingdom | 1-800-335-6202

Trading Internationally? The New EU Data Protection SCCs Explained'

Document Cited in Related
Vincent
Published date23 July 2021
Subject MatterPrivacy, Compliance, Data Protection, Privacy Protection
Law FirmShoosmiths
AuthorMs Sarah Tedstone and Hamish Corner

Recent developments such as the invalidation of the EU-U.S. Privacy Shield framework under the Schrems 2.0 decision and Brexit will have a significant impact on how businesses transfer their data internationally.

Recap: For more information see our previous webinars:

  • on the Schrems 2.0 case: What is the Schrems 2.0 case about?
  • on Brexit 2.0 generally: Brexit and the EU UK trade deal

What safeguards are there for international data transfers?

Safeguards are often needed for international personal data transfers, depending on the locations involved, here are the most common ones:

  • Medium to large companies
    • BCRs controller and processor which address processing internally and with customers ( see slides 16 and 17)
    • Hybrid DTA, and
    • SCC+ (including transfer risk assessments)
  • Smaller companies
    • Hybrid DTA, and
    • SCC+ (including transfer risk assessments)

What do the new SCCs for international transfers and guidance say?

  • For the UK use the existing versions until the UK ICO approves the new versions or produces new UK SCCs
  • You can continue using the existing ones until 27 September 2021 after which you will need to use the new versions for new contracts or changes. By 27 December 2022 all contracts must be updated.
  • They attempt to fix problems with the existing versions and cover many Schrems 2.0 risks. They are intended to be more commercially relevant, catering for multiple parties
  • There are now modular to cover combinations of four scenarios (see below)
  • They are suitable for data exporters not located within the EU/EEA but caught by the GDPR terms
  • There is a need to understand the full chain of processing (from the ultimate controller to the last sub-processor)
  • Guidance from the EU has further clarified the wider "SCC+" assessment exercise requiring vigilance legal advice, monitoring and action
  • The parties give warranties that they have no reason to believe that local laws and practices in the data importer's country prevent compliance, and that the data exporter has assessed the data importer's ability to comply

How do you create a contract from the SCCs?

  • The SCCs have standard clauses that apply in all scenarios (SCCs have priority over other contracts, the terms of which should not contradict them), eg
    • List of parties, description of transfer, technical and organisational measures and list of sub-processors
    • Enforcement of rights by data subjects and dealing with complaints
    • Liability, indemnity, identifying the competent supervisory authority...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT