Banner triangles

Trading internationally? The new data protection SCCs and European guidance explained

Recap: Recent developments such as the invalidation of the EU-U.S. Privacy Shield framework under the Schrems 2.0 and Brexit will have a significant impact on how businesses transfer their data internationally. For more information see our previous webinars:

What safeguards are there for international data transfers?

Safeguards are often needed for international personal data transfers, depending on the locations involved:

  • Binding corporate rules (BCRs) remain the gold standard
  • SCCs are EU-approved template terms which ensure GDPR standards are met (provided the terms in the SCCs are respected). There were previously two sets of approved SCCs for data transfers which had limitations
  • Other exceptions to the rule (see slides and recording below)

What next for the Privacy Shield?

The invalidation of the Privacy Shield means that businesses are now looking at BCRs and SCCs to legitimise their data flows instead.

What next for Brexit?

  • Check whether you transfer any data from the EU/EEA to the UK which may need new safeguards like BCRs or SCCs.
  • Check whether you need to appoint a UK representative (see the UK Representative Service offered by Shoosmiths Privacy Services Limited).

What do the new SCCs for international transfers and guidance say?

  • They are currently under consultation and there is a one year transition period for their use after they are approved
  • They attempt to fix problems with the existing versions and cover many Schrems 2.0 risks. They are intended to be more commercially relevant, catering for multiple parties
  • There are now modular to cover combinations of four scenarios (see below)
  • They are suitable for data exporters not located within the EU/EEA but caught by the GDPR terms
  • There is a need to understand the full chain of processing (from the ultimate controller to the last sub-processor)
  • New guidance from the EU has further clarified the wider “SCC+” assessment exercise requiring vigilance, legal advice, monitoring and action

How do you create a contract from the SCCs?

  • The SCCs have standard clauses that apply in all scenarios (SCCs have priority over other contracts, the terms of which should not contradict them), eg:
    • List of parties, description of transfer, technical and organisational measures and list of sub-processors
    • Enforcement of rights by data subjects and dealing with complaints
    • Liability, indemnity, identifying the competent supervisory authority and jurisdiction
    • Dealing with law enforcement requests and local law conflicts
    • The process if the data importer becomes unable to comply
    • Both parties must consider security, including during transmission
  • There are also optional clauses in the SCCs, eg:
    • A ‘docking clause’: new parties can be added later
    • Various modules for the four scenarios (see below):
      • Controller-to-controller
      • Controller-to-processor
      • Processor-to-processor, and
      • Processor-to-controller
    • Minor aspects of some modules such as time periods for approval of sub-processors, and deletion/return choices of data at the end of processing

What does the controller-to-controller module say (module 1)?

  • Data importer:
    • to give certain privacy information to data subjects
    • to action rectification and erasure and deal with other data subjects’ rights
    • to notify breach to data exporter and competent supervisory authority (the standard is different from the GDPR)
    • to ensure onward transfers have safeguards
  • Both parties:
    • to notify breach to data subjects

What does the controller-to-processor module say (module 2)?

  • Data importer:
    • to arrange its own independent audits (if required)
    • may have to demonstrate compliance to competent supervisory authorities
  • Data exporter:
    • to exclusively control the key for pseudonymised data

What does the processor-to-processor (ie sub-processor) module say (module 3)?

  • Data importer:
    • to comply with instructions from the controller and additional instructions from data exporter
    • to notify the data exporter and, where appropriate, the controller of breach and data subjects’ rights
    • to only subcontract with permission from the controller
    • to demonstrate compliance to the data exporter, controller and competent supervisory authority
  • Data exporter:
    • to inform the data importer if it acts as processor under the instructions of controller
    • to identify the controller in the SCC’s Annex
    • to inform the controller if the data importer cannot follow the controller’s instructions
    • to exclusively control the key for pseudonymised data

What does the processor-to-controller module say (module 4)?

  • Data importer:
    • to not prevent the data exporter from complying with GDPR
  • Data exporter:
    • to comply with the instructions of the data importer as controller
    • there are also extra obligations if it combines the personal data with personal data collected by it in the EU

What do you need to do pre-transfer when using the new SCCs?

  • Know your transfers:
    • map out your processing and locations
    • Remember that remote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EU/EEA, is also considered to be a transfer
    • Consider onward transfers by others of the data entrusted to them ie all actors in the chain down to sub processors
  • Keep in mind data minimisation
  • The data exporter must assess the third country protections and whether the data importer can satisfy its obligations (typically through a data protection impact assessment (DPIA)):
  • The data exporter must consider if supplementary clauses or safeguards consistent with the SCCs are needed and implement them. If the GDPR level of protection is undermined, or the supplementary measures are prohibited or contradict the SCCs, you should not start, or suspend, and consult
  • Re-evaluate at regular intervals

How do you assess the laws of the jurisdiction the data is transferred to? Consider and record:

  • The nature and purposes of the transfer and on ward transfers, types of entities, and categories of personal data involved
  • Whether the data will be stored in the third country or if there is only remote access
  • Format of the data to be transferred (pseudonymised, encrypted etc)
  • If data subject rights can continue to be effectively applied
  • Effective limits on any surveillance requests and public knowledge  about the location
  • Wider sources of information such as case law, reports from intergovernmental and trade organisations like the UN Human Rights Council

What supplemental measures should you consider?

  • technical measures, such as proper and effective encryption, pseudonymisation and split or multi-party processing
  • contractual measures, such as specifying the technical measures needed, reinforced audit clauses etc
  • organisational measures, such as internal policies, methods and best practices; records of surveillance requests and data minimisation

After transferring what are your ongoing obligations?

  • Understand what you have signed
  • Monitor ongoing developments in the third country/your location
  • Keep track of changing instructions in the services
  • On storage limitation, keep track of contract durations, retention periods and obligations to return or delete
  • Be aware of restrictions and confidentiality obligations for employee access
  • Be aware that third party sharing may be prohibited or, if not, keeping track of sub-processors will be needed and contracts to be disclosed
  • Remember that the data importer has certain duties to notify not just the data exporter but the ultimate controller and competent supervisory authority as things change

What should you be doing now?

  • Understand your data flows and locations involved
  • Assess what safeguards are needed, urgently if that was previously the Privacy Shield and bear in mind transfers into the UK and Brexit.
  • Watch out for final decisions about consultations on the guidance and SCCs
  • Watch out for warnings about other countries being unsafe
  • Amendments to policies and privacy notices may be needed but ensure you’re not just undertaking paper compliance
  • Use supplemental measures such as contract terms and technical and organisational measures for risky locations
  • Undertake due diligence with commercial partners
  • For medium to large companies consider:
    • BCRs controller and processor which address processing internally and with customers
    • Hybrid DTA, and
    • SCC+ mini DPIA (post consultation and over 12 month transition)
  • For smaller companies, consider:
    • Hybrid DTA, and
    • SCC+ mini DPIA (post consultation and over 12 month transition)

Disclaimer

This information is for educational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.

Listen to the webinar

All upcoming webinars

Insights

Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.