New EU SCCs – Are you prepared?

While day-to-day life may have come to a grinding halt during the pandemic, the same certainly cannot be said for the world of data protection.

As we now enter spring, the frost on the ground starts to disappear, and we enter a new quarter; the deadline for the implementation of the New EU Standard Contractual Clauses (SCCs) is 9 months away.

Who is this update for?

If you’re subject to the EU GDPR (e.g. because you have an office, customers or monitor individuals in the European Economic Area - EEA) then it’s time to make sure all your contracts are in order. If the last 12 months are anything to go by, the 27th of December 2022 will be here before you can say Omicron variant!

Do you need to do anything?

An easy flowchart to determine if you're needing to act on the new EU SCC rules. view the EU SCCS flowchart in full size here.

Since Brexit

In the relatively short space of time since the end of the Brexit transition period, we’ve had:

• an EU/UK adequacy decision granted;

• new EU Standard Contractual Clauses (SCCs) published;

• a new ICO commissioner appointed; and

• a government consultation issued on reforming the UK data protection regime.

Of these recent developments it is perhaps the publication of the new EU Standard Contractual Clauses (SCCs), and impending discontinuing of the old EU SCCs, which organisations need to be acutely aware of given the deadlines for implementing the new EU SCCs into contracts (where necessary).

Note: The new SCCs do not (yet) apply to transfers of personal data from the UK to third countries (countries who do not have adequate levels of data protection of the EU standards). See the timetable below for more details.

What's changed with EU Standard Contract Clauses (SCCs)?

Earlier this year the European Commission (“Commission”) published new EU Standard Contractual Clauses (“SCCs”), which, as of 27 September 2021, repealed and replaced the old EU SCCs.

As you may be aware, SCCs provide a practical, and often used, solution for companies to transfer personal data from the EU to those countries outside of the EEA (European Economic Area) not deemed to provide equivalent protections to the EU GDPR (“third countries”).

The deadline

With the old EU SCCs having now been repealed, the Commission have set a deadline of 27 December 2022 for companies to ensure that:

1. All contracts entered into from 27 September 2021 incorporate the new EU SCCs where necessary and;
2. All existing contracts relying on the old EU SCCs as a transfer tool are updated to replace the old with the new EU SCCs.

What do you need to do?

If you are a company subject to the EU GDPR and relying on the old EU SCCs to transfer personal data to third countries:

1. Stop using the old EU SCCs for any new contracts and start using the new EU SCCs.

2. Audit your existing contracts, including intra-group data sharing agreements (“DSA”), to identify and amend all that incorporate the old EU SCCs.

   If you would like us to carry out this audit process and incorporate the new EU SCCs where applicable, this will count as a total of one credit* if you are an existing subscription client, otherwise starting from £500 + VAT* (*price/credit dependent on how many SCCs/contracts require amending).

3. If you don’t want us to review your current arrangements. The new SCC templates are available to download at Standard Contractual Clauses (SCC) | European Commission (europa.eu).

Please note, it is important to ensure that each contract is assessed on a case-by-case basis and not take a blanket approach to amending your contracts because of the modular approach to the new EU SCCs (see the attached PowerPoint for further detail on this).

As a separate point — If you require an intra-group DSA with the relevant SCCs, but do not currently have one in place, we would be happy to draft this for you. Please do get in touch

Do you need the new EU SCCs if transferring personal data to third countries from the UK?

No, the new EU SCCs are not recognised in the UK and UK based companies can continue using the old EU SCCs for transfers from the UK to third countries until such time as the ICOs final version International Data Transfer Agreement (“IDTA”) is published.

Please note, although UK companies do not need to do anything right now with regard to the new EU SCCs, we recommend preparing for the IDTA in advance of it coming into force by carrying out the audit process set out at point (2) above.

Timetable for the New EU SCCs

Organisations transferring personal data from the EU to ‘third countries’ will need to be ready to incorporate the new EU SCCs into their contractual agreements in accordance with the following timetable:

1. 27 June 2021

   The new EU SCCs were made ready for use. However, organisations are still able to use the old EU SCCs in new and existing contracts.

2. 27 September 2021

   The old EU SCCs are repealed and no new contracts can be signed which incorporate them as a transfer mechanism –for all new contracts, the new EU SCCs must be used.

3. 27 December 2022

   Deadline for ensuring all existing contracts are amended to remove the old EU SCCs and incorporate the new EU SCCs.

Please note, the above timeline only applies to transfers of personal data from the EU to ‘third countries’, and organisations caught within this criteria should certainly review their existing contractual arrangements and intra-group transfer agreements that rely on the old EU SCCs as a valid transfer mechanism.

View our PowerPoint to find out more

Law 365 The New EU Standard Contractual Clauses (SCCs) from KimSimmonds

How can we help?

If you've got a questions surrounding the new EU SCCs, get in touch with our experts on our Get Started page.

This is part of our data protection series. Read more here:

• How will processing personal data change post-brexit?
• A new Information Commissioner — What will this mean for web surfers?
• More about Standard Contractual Clauses (SCCs)