Berggren | Blog

New Standard Contractual Clauses for personal data transfers – action needed by 27 Sep 2021

Written by Arttu Ahava | 1.9.2021

Under the General Data Protection Regulation, personal data cannot be transferred outside the EU/EEC area without specific legal safeguards, except for a few specific countries that have been deemed to have an adequate level of data protection, such as Canada and the UK. The most common legal safeguard for such transfers is the use of Standard Contractual Clauses approved by the EU Commission, i.e. template agreements usually added as annexes to cross-border contracts.

Which companies are affected?

Almost every company in the EU will be affected by this change. If the company uses any service providers or partners that have processing activities outside the EU/EEC, they will probably be affected by this change. For example, essentially all major hosting providers use distributed infrastructures that include processing activities outside the EU/EEC even if the actual servers on which the personal data is stored are sometimes located inside the EU.

However, in particular this will affect those companies that provide their own software products or services, and have previously relied on the old SCCs to transfer data to processors or controllers outside the EU/EEC. These companies will need to act by 27 September 2021, or they will probably be in breach of the General Data Protection Regulation. After 27 September 2021 no new contracts should be executed using the old SCCs.

What has changed?

The new regime on Standard Contractual Clauses includes many of the same features as the previous SCCs, but there are also noteworthy innovations, some of which are listed below:

1. It is now possible (and indeed required) to have several different parties involved in one set of SCCs. For example, an online retailer might have a set of SCCs that include the following: a. the webshop owner (data controller), b. the provider of the webshop platform (processor), c. the hosting provider (processor), d. the payment provider (controller or processor), e. the shipping provider (processor) and f. a company doing data analytics relating to the webshop (processor).

2. It is now easier for third parties such as data subjects to file compensation claims against any of the parties involved in the processing. There is even a joint liability in cases where more than one party is responsible for damage caused in processing the personal data.

3. Parties will now need to carry out, and document a risk assessment for use of the SCCs, and to implement technical or organisational risk mitigation measures to ensure that the rights of data subjects are not compromised by the data transfer.

What do companies need to do?

Companies that are involved in transferring or processing personal data outside the EU/EEC need to review their personal data practices, and find a way of implementing the new SCCs before 27 September 2021. As the old SCCs can no longer be used in new contracts after this date, it will be illegal to transfer the personal data of new customers outside the EU/EEC under a new contract unless the new SCCs have been implemented.

In addition, all use of the old SCCs must cease by 27 December 2022, so at the latest at this point companies will need to renegotiate their old contracts, and roll out the new SCCs also for their old customers/partners.

The Berggren personal data team will be happy to help with any questions/assistance you might have regarding the new SCCs, and practical steps your company will need to take to ensure compliance after 27 September 2021, and 27 December 2022.

Contact blog writers for more information:

Arttu Ahava                                                           
Technology lawyer, certified information privacy professional/Europe (CIPP/E)
arttu.ahava@berggren.fi

Suvi Julin
Technology lawyer, partner
suvi.julin@berggren.fi