TL;DR — The EU has a new set of Standard Contractual Clauses (SCCs) that are required for data transfers concerning protected personal information. In 2023 and beyond, you’ll need to incorporate intra-EU or international SCCs to ensure your data transactions are compliant.
Want to learn more about GDPR Standard Contractual Clauses? Request a consultation today!
What is a GDPR Standard Contractual Clause?
The General Data Protection Regulation (GDPR) is a comprehensive data security framework that ensures the privacy of personal data belonging to EU residents. Per the GDPR, Data processing agreements (DPAs) concerning transfers of this data need to include Standard Contractual Clauses (SCC) to guarantee data protection safeguards are in place.
The SCCs currently required were introduced in 2021, replacing outdated SCCs on the heels of the Schrems II decision. This landmark case from 2020 updated many elements of GDPR compliance, specifically for US-based organizations that had relied on the Privacy Shield.
Below, we’ll walk through what the new SCCs emphasize and some of the broader implications of Schrems II, including how your organization can maintain GDPR compliance into the future.
Changes in the New Standard Contractual Clauses
The SCCs are a way to streamline compliance and data protections between trading partners within and outside of the EU when their transactions involve EU residents’ personal data. The newest SCCs build on protections from the originals, with three major innovations:
- Single entry point – The new SCCs cover a wider range of transaction scenarios under the same blanket language rather than breaking down into several different clauses.
- Modular approach – The new SCCs can pertain to multiple parties rather than just two; this allows for greater flexibility to accommodate and enable complex processing chains.
- Practical toolbox – The new SCCs also explain clearly what steps organizations need to take to meet the enhanced requirements of Schrems II, including practical examples.
Organizations that had been relying on earlier versions of the SCCs were given a grace period for select DPA agreements, but nearly all transactions after December 2022 need to incorporate the new SCCs. In particular, there are two kinds: those for controllers and processors in the EU and those for entities outside the EU who come into contact with EU residents’ personal data.
SCCs for Controllers and Processors in the EU
The first set of new SCCs introduced transfers of personal data between data Controllers and Processors based in the EU. These intra-European Standard Contractual Clauses include template language that breaks down a complex set of clauses into simplified annexes for organizations to include in their DPAs. The four Annexes for intra-EU SCCs are:
- Annex I – A list of the parties involved in the DPA, their contact information, etc.
- Annex II – A description of the processes personal data will be subject to, including:
- Whom the data is collected from and what kinds it includes (by category)
- What processes will be applied to the data, how, and for how long
- Why the personal data is being collected and processed
- Annex III – A description of the security controls applied, including but not limited to:
- Encryption or other means of pseudonymization
- Regular testing and assessment of security protections
- Identity authentication for access to personal information
- Annex IV – A list of sub-processors who may contact the data (and their contact info).
There are provisions concerning additional data transfer to international destinations. But these SCCs primarily concern Controllers and Processors within the EU—or parties responsible for ownership of the data and processes enacted on the data, respectively.
SCCs for International Transfers of Personal Data
The second major category of SCC involves transfers of GDPR-protected data to organizations in international territories outside the EU. This includes both EU-recognized “third countries” (select nations with advanced privacy safeguards) and other areas, such as the US.
International SCCs operate almost identically to the first kind, but they spread the same general scope of information across three Annexes as opposed to four. Namely, Annex I in these SCCs describes both parties and data processes (Annex I and Annex II, respectively, in EU SCCs).
International SCCs also include modular specifications for different kinds of data transfers:
- Module One, concerning transactions from Controller to Controller
- Module Two, concerning transactions from Controller to Processor
- Module Three, concerning transactions from Processor to Processor
- Module Four, concerning transactions from Prossor to Controller
Critically, the older SCC models did not account for Processor–Processor transactions. The ability to include multiple modular clauses between a wider range of entities makes the new International SCCs far more flexible and accommodating for a broader range of transactions.
The Schrems II Decision and its Implications
Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), was ruled on by the Court of Justice of the European Union (CJEU) in 2020. It concerned Facebook’s processes of transferring GDPR-protected data to US servers, which exposed said data to US governmental surveillance. In its deliberation over whether this arrangement breached the GDPR, CJEU ultimately ruled that one governing framework, the Privacy Shield, was no longer valid. This, in turn, led to the development of the new SCCs.
For US organizations that need GDPR compliance, any DPAs or other agreements that relied upon the Privacy Shield will no longer provide assurance on their own. So, if your organization deals in the personal data of EU residents, you should work with a GDPR advisor to determine how you should use SCCs and other measures to achieve and maintain compliance.
Optimize Your GDPR Compliance Today
RSI Security has helped countless organizations implement GDPR-compliant protections, including but not limited to SCCs. Our experts are committed to service, helping your team understand the nuances of data privacy and how to ensure all applicable rules are being met.
We’ll provide advisory, implementation, and assessment services to help you optimize data protection for GDPR and any other regulatory frameworks. Together, we’ll rethink your security.
For guidance on Standard Contractual Clauses and GDPR compliance, contact us today!