Alert – Obligation to amend data protection documentation

Entities transferring personal data outside the European Economic Area (EEA) should amend their data protection documentation by December 27^th, 2022, due to the new standard contractual clauses (SCCs) adopted by the European Commission.

The new SCCs were adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. Entities transferring data to third countries on the basis of the previous SCCs, have to implement the new SCCs by December 27^th, 2022.

Entities processing data outside the EEA should: data outside the EEA should:

1. review the content of the model entrustment agreement of personal data processing and the SCCs used;
2. renegotiate their contracts for data processing outside the EEA;
3. ensure that the terms of their contracts with subcontractors are properly enforced in relation to the points above.

SCCs are model provisions of data entrustment agreements that ensure that data processing complies with Article 28 of GDPR. SCCs divide into:

1. permanent/general – applicable to any data transfer outside the EEA;
2. modular – derivative of a specific scenario of data transfer to a third country:

a) module I – between a controller and a controller in a third country;

b) module II – between a controller and a processor in a third country;

c) module III – between a processor and a processor in a third country;

d) module IV – between a processor and a controller in a third country.

The new SCCs reflect the evolution of data protection rules and take into account the conclusions of the Schrems II judgment (C-311/18). The new SCCs emphasise the importance of the obligation to conduct a risk analysis of personal data transfers outside the EEA, and violations of this obligation are subject to administrative penalties.

It is worth reminding that, since September 22^nd, 2022, the UK alternatives to SCCs must be used for new contracts that contain provisions on the processing of personal data outside the UK (which may be relevant for businesses with branches in the UK or working with UK entities):

1. The International Data Transfer Agreement (“IDTA”) – it ensures that the UK GDPR requirements for cross-border personal data transfers are met and can be used regardless of the roles of the parties (e.g., whether personal data is transferred outside the UK by a controller or processor)
2. The UK Addendum – it allows EU SCCs to comply with the requirements of UK data protection laws. The UK Addendum has different modules that can be applied depending on the role of the parties. It also contains supplementary provisions to the entrustment agreements that are required by the UK GDPR.

Contracts for the processing of personal data outside the UK entered into before September 21^st, 2022, will be valid until March 21^st, 2024. After that time, they will need to be re-entered into according to the guidelines indicated above.

Please feel free to contact the authors of the article: Katarzyna Szczudlik and Aleksandra Czubek.