Since last summer’s Schrems II judgment, about which we have repeatedly reported on our blog, exporting personal data outside the EU has become quite cumbersome. In particular, the disappearance of the “Privacy Shield” between the EU and the US is causing a lot of complications and forces European companies to conclude Data Export Agreements on a large scale with non-European (usually American) partners containing so-called “Standard Contract Clauses”. These SCC’s are model documents that are made available by the European Commission to be copy/pasted into Data Export Agreements and thus guarantee safe export at a contractual level.
However, one of the major problems until now when concluding Data Export Agreements was that the European Commission’s SCC’s or Standard Contract Clauses were outdated. They dated from before the entry into force of the GDPR and were not adapted to that GDPR, nor to the current technological and economic reality.
Those old SCC’s have now finally been replaced by new, fully up-to-date versions since June 6, 2021, and European entrepreneurs can now get started to conclude legally conclusive and secure Data Export Agreements with their partners outside the EU. We provide a summary below of what you need to know about these new and SCC’son our download page you will also find a downloadable copy of the new SCC’s, along with our Vendor Assessment Form that you can use to determine whether or not your foreign partners are do not receive personal data from you and whether they handle it correctly and in accordance with GDPR. This way you can work quickly, clearly and with a minimum of effort on GDPR compliance within your company.
Data export is any exchange of data with a partner outside the EU. It could be a hosting provider from whom you rent server space, an offshore call center or customer service, a developer or online marketing agency outside of Europe, a cloud storage service, an email service provider or just about any online service or tool you can imagine.
GDPR only allows data export to countries outside the EU if the recipient outside the EU can guarantee an appropriate level of protection.
A handful of countries are automatically considered to offer an appropriate level to provide protection, but for most other countries data export since the end of the EU-US Privacy Shield requires a Data Export Agreement, in which written data protection guarantees are made.
“Appropriate additional guarantees”
Since the Schrems II judgment, we know that simply signing (the old version of) the SCC’s is not sufficient in itself to ensure safe data export. As a European entrepreneur, you have the obligation to carry out a documented assessment of the risks involved for every data export and to request, if necessary, from the recipient “appropriate additional guarantees.” We have already listed several times for you in this article about Mailchimp or in this webinar on our Youtube page.
New SCC’s are “Schrems proof”
The new standard contractual clauses are not only fully customized to the text and content of the GDPR, they have also been made “Schrems proof”. That is to say, they contain many clauses that meet the requirements of the European Court of Justice to make a prior risk assessment and to demand additional guarantees where necessary as set out by the Schrems II judgement.
Please note that this does not mean that a separate risk assessment and additional separate guarantees are no longer necessary. As an entrepreneur, you still have to carry out the necessary preliminary investigations before exporting personal data outside the EU, but the new SCC’s are in any case already provided for this obligation in terms of content, which was not the case with the old ones.
In the past, a number of “versions” of the SCC’s coexisted. Depending on the situation, you could choose one of those versions and incorporate it into an agreement, for example for data export between a European controller and a non-European processor.
That system is now replaced by one global set of SCC’s, which you can adapt to your personal situation by copying/pasting or omitting individual clauses (modules). According to the European Commission, this should lead to more ease of use, but personally, we fear that it threatens to do exactly the opposite and seriously impede the use of these model documents by non-lawyers.
That one global version of the SCC’s now also provides for two previously missing situations for the first time: the transfer by a processor in the EU to a controller outside the EU and the transfer from a processor in the EU to another processor outside the EU.
Replace your existing SCC’s in time, with our help at Sirius Legal!
The existing SCC’s are still valid for three months for new data exports. A grace period of 15 months applies for existing data exports, but after that all existing Standard Contract Clauses must also be replaced by the new regulations.
Since the content of the new SCC’s has changed considerably and (there are a lot of new additional guarantees and obligations for instance), this means that as a company you will have to renegotiate a lot of those existing mode contracts or that you will at least have to carefully review the new versions before signing.
Sirius Legal helps you with that. You can visit our website for our “Data Export Compliance” service, with which we help your company through the maze of old and new SCC’s and “additional appropriate measures”.
In any case, make sure you have a good overview of all your data exports in a spreadsheet, check with whom you do or do not have a current Data Export Agreement and ensure a timely invitation to adjust if one has already been concluded in the past or to close of a new Data Export Agreement if none had been concluded before.
Do not forget to carry out an individual impact assessment and to properly document this. If one day there is a cyber attack or hacking at one of your suppliers and it turns out that you did not follow the rules before entrusting your data to him or her, you quickly risk being liable for the consequences of such a data breach…
Be aware that data export is a point of attention for many governments, including our Belgian Data Protection Authority. The German authorities, for example, announced this week that they will carry out extensive checks on data exports by German companies. Those checks will primarily focus on the use of email service providers, hosting companies, tracking via cookies, application management and the exchange of customer data within groups of companies, for example based on Customer Data Platforms.
Questions about data export or GDPR in general?
We are happy to make time for you. Feel free to call or email Bart Van den Brande at firstname.lastname@example.org or +32 492 249 516 or book a free online introductory meeting with Bart via Google Meet or Zoom.