Deconstruct 'contract chaos' to comply with EU data transfer rules

Zachary Foreman

Zachary Foreman

By Zachary Foreman

Zachary Foreman (zachary.foreman@knowable.com) is Offerings Lead for Knowable in Mainz, Rhineland-Palatinate, Germany.

In June 2021, shortly after the third birthday of the General Data Protection Regulation (GDPR) and on the heels of the Schrems II decision, the European Commission released new editions of the standard contractual clauses (SCCs). With them has come another headache for privacy, legal, and compliance professionals: a complex project of updating executed contracts in order to maintain compliance with the latest developments in the international data transfer regulatory regime.

Amending contracts at scale to reflect the latest SCC changes requires the focused application of people, process, and technology. But the real challenge—maintaining contract compliance in a shifting regulatory environment—requires systematically monitoring your organization’s contractual provisions in order to execute projects, demonstrate compliance, and measure risk across the organization.

How SCCs regulate data transfers

SCCs are a vital tool in the modern data protection compliance toolkit, but what are they, and how are they used? SCCs are the most important way that the European Union (EU) ensures that its residents’ data rights remain protected even when the data itself is transferred to another country with other, less stringent regulations. The European Commission can’t require other countries to enforce its rules overseas, but it can set conditions and safeguards under which data can be exported outside of the EU. By far the most common safeguard to protect exported data in use today is the standard contractual clause—a blanket term for any one of three sets of clauses that must be incorporated verbatim and completely into a contract covering a data transfer. These SCCs specify requirements for both the data importer (the organization receiving the data) and the data exporter (the organization sending it).

The 2020 Schrems II ruling invalidated Privacy Shield, a program for transferring data to the United States, and sharpened the level of scrutiny data exporters are required to apply to their data transfers. In response to that ruling, the European Commission released its new versions of its SCCs. Companies had until September 27, 2021, to update their templates and negotiation playbooks to include the new SCC versions for new contracts. The next step is to amend all executed contracts that contain the old SCCs with the newly released modules by December 27, 2022.[1]

Preparing for repapering projects

The new SCC modules make a number of changes to the structure of SCCs that will affect how organizations need to plan their amendments and, ultimately, result in hefty repapering projects that will need to incorporate the following considerations.

Relationship scope

The previous SCCs covered data transfers from controllers to controllers and from controllers to processors. The updated versions include those scenarios, but also include modules that enable transfers from processors to processors and processors to controllers. This is good news for processors engaging other processors in a subprocessing relationship. Previously, there was no approved mechanism for international subprocessing transfers, making compliance with GDPR impractical. Processors that currently engage subprocessors should isolate their contracts with those subprocessors to identify if and how they might implement these new processor-to-processor SCCs to streamline their data transfer relationships.

Multiparty agreements

The new SCCs contain an optional “docking clause” that enables additional parties to join into the agreement, either as data exporters or as data importers. This offers more flexibility for complex transfers, as any set of SCCs can contain multiple senders and receivers of data. Organizations with complex data transfer arrangements—such as large intra-group data transfers or with multiple entities transferring data to the same organization(s)—may want to review and simplify their contractual requirements by having multiple parties sign on via this docking clause.

Level of detail required

The new SCCs heighten the level of specificity required in the appendices of the SCCs regarding the details of the data being transferred. In particular, data importers must list the specific technical and organizational security measures in place for each data transfer, making it clear which measures apply to which transfers. Organizations repapering their existing contracts must make sure to collect this information in advance to adequately populate these appendices—whether through data mapping or analysis of their executed agreements.

Transfer impact assessments

As a result of the 2020 Schrems II court case, the new SCCs include warranties that both parties have assessed the details of the transfer—including the laws and practices of the destination country, the circumstances of the transfer itself, and the measures of data protection put in place—and determined that they will not undermine the protection of the personal data being transferred.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings