The year 2021 is on the home stretch. The new year is (almost) just around the corner. The topic of data transfer to third countries will continue to occupy us in 2022. There is a concrete need for action if your company uses standard contractual clauses. By the end of 2022, all contracts must be converted to the new EU standard contractual clauses.
What is it about
Transferring personal data to contractual partners outside of the EU requires safeguards for data protection. The most important instrument for this in practice are the so-called EU standard contractual clauses. Until June 2021, these clauses were still based on the old EU Data Protection Directive and needed to be adapted to the GDPR.
The EU Commission therefore adopted revised, new EU Standard Contractual Clauses 2021 on 4 June 2021, making them more widely applicable and eliminating practical problems. Previously, there were only contractual clauses for the export of data from “controllers in the EU” to “controllers or processors outside the EU” (controller-to-controller or controller-to-processor). The new EU Standard Contractual Clauses 2021 additionally cover cases where processors export data from the EU (Processor-to-Controller and Processor-to-Processor). This eliminates the previous need to conclude direct contracts with sub-processors of EU service providers in certain cases.
Furthermore, the new EU Standard Contractual Clauses 2021 take into account the “Schrems II” decision (C-311/18) of the ECJ. The court overturned the Privacy Shield agreement, but continued to allow data exports on the basis of EU standard contractual clauses in principle. However, for transfers to countries such as the USA, whose laws provide for extensive official access and monitoring measures with limited legal protection, the ECJ demanded additional guarantees of a contractual, technical or organisational nature. The Commission has now taken this into account with a clause that obliges recipients to provide information about and, if necessary, to take legal action against government requests for disclosure. In the view of the EU supervisory authorities, however, further measures such as special encryption remain necessary for U.S. transfers.
Use of old EU standard contractual clauses no longer permitted
The previous EU standard contractual clauses may no longer be used for new contracts concluded after 26 September 2021 (cut-off date). Contracts concluded with the old EU standard contract clauses before the cut-off date may remain unchanged until 27 December 2022, but must then be adapted and converted to the new EU standard contract clauses 2021 (see following paragraph).
Old contracts must be adapted (until 27 December 2022)
Contracts containing the old EU standard contractual clauses must be converted to the new EU standard contractual clauses by 27 December 2022.
Here we recommend the following procedure:
- First, create an overview of all contractual partners with whom you have agreed to EU standard contractual clauses. This includes contracts with cloud providers that provide hosting or support outside the EU (e.g. Microsoft, AWS or SAP). But also consider contracts with smaller service providers (controller-to-processor) as well as with controllers (controller-to-controller).
- Create a schedule for updating the contracts by December 2022 at the latest. Here, you should plan enough lead time to be able to meet the transition period. We recommend starting the process in January 2022 at the latest.
- Write to the contractual partners and propose a switch to the new EU standard contractual clauses. In the case of larger providers (such as hyperscalers), you can assume that they will first review the clauses and integrate them into their contracts and update old contracts in the coming months; in this respect, you can make a note for a resubmission in early 2022 and then approach these providers if necessary.
- In addition, you should check whether further guarantees need to be concluded in addition to the conclusion of the new EU standard contractual clauses in 2021.
Effect on intra-group agreements
Intra-group agreements for the transfer of personal data must also be converted. Since the new clauses reflect even more case constellations than before, they are in any case better suited for regulating the intra-group exchange of data. This adaptation should be tackled promptly. Here, too, the deadline for concluding the updated group agreements is 27 December 2022.
Is “Schrems II” finished with that?
Probably not. The EU Commission has made efforts to include additional contractual guarantees in the new EU standard contractual clauses 2021. However, the European data protection authorities have expressed scepticism in advance that this is sufficient for all cases of transfers to the USA, for example. The new EU Standard Contractual Clauses 2021 are therefore helpful, but probably do not end the ongoing discussion about the need for additional measures for transfers to countries like the US.