Data privacy safeguards are critical to protecting sensitive GDPR data from privacy and security threats. One of the safeguards specific to the EU GDPR is the standard contractual clause (SSC), which outlines essential protections for data processors and controllers to follow when handling protected types of information. Read on to learn more about how the SSC works.
What is the Standard Contractual Clause (SSC)? A Brief Overview
The best way to understand how the standard contractual clause (SSC) works is to explore its application under the EU GDPR data security framework. Below, we’ll provide an overview of:
- The standard contractual clause, as defined by the GDPR
- The SSCs listed under the GDPR framework
- Best practices for managing data security risks using the SSC
Incorporating applicable SSCs into contracts with internal or external stakeholders will help you remain compliant, especially with guidance from a qualified EU GDPR compliance partner.
What is the SSC According to the EU GDPR?
The European Union (EU) General Data Protection Regulation (GDPR) is the most stringent data privacy regulation in the world. Under the GDPR, organizations that handle the personal data of EU citizens must keep it safe from privacy threats as it is processed within and outside of the EU. The GDPR also contains standard contractual clauses—legally binding statements that businesses handling EU citizens’ data must add to contracts as operational safeguards.
These rules replace the SSCs previously established to support the requirements of Directive 95/46/EC, which was repealed in 2018 and replaced with the EU GDPR. For GDPR protections to effectively safeguard data, the European Commission strives to keep them up-to-date with current and anticipated security needs across GDPR-subject data environments.
The Role of SSCs in Privacy Regulations
The EU considers data privacy a fundamental right, granting its citizens the freedom to decide how their data is handled. As EU law-making bodies modify privacy regulations, organizations subject to these laws must understand how to apply the changes to their existing contracts.
This is especially true in cases where cross-border business transactions are involved.
A standard contractual clause acts as one of the “legal bases” upon which organizations can adjust their data privacy and security controls to meet the requirements of the GDPR.
In business contracts where data is transferred across borders, SSCs function as baseline privacy safeguards. Hence, if your organization is required to comply with the GDPR (if you collect or process data from EU citizens), you need to know how these SSCs work.
Breakdown of the SSCs in the GDPR
Until mid-2020, most international data transfers involving the personal data of EU citizens were required to comply with the Privacy Shield Framework, along with the original SSCs, established under the GDPR. In July 2020, the Court of Justice of the European Union (CJEU) declared that the Framework did not provide sufficient data privacy safeguards to meet standards in the EU.
This decision arose from the deliberations of the famous case “Data Protection Commission v. Facebook Ireland, Schrems.” It was also influenced by the lenient US surveillance laws, such as those that permit organizations to collect large amounts of data from EU citizens, disregarding the rights and freedoms of data subjects. The EU Commission then created the new SSCs listed under the GDPR to repeal the older SSCs.
NOTE: As of this publication, organizations that have not yet transitioned to including these new SSCs in their contracts have until the end of December 2022 to do so.
Secure EU International Data Transfers with the New SSCs
The older versions of the standard contractual clauses were created to supplement Directive 95/46/EC (1995) and existed as two separate documents.
Each set of SSCs respectively safeguarded the transfer of EU citizen’s personal data from:
- Controller to controller
- Controller to processor
However, the new SSCs exist as a single document divided into four modules that address four types of international data transfers:
- Module One pertains to controller-to-controller transfers.
- Module Two secures controller-to-processor transfers.
- Module Three safeguards processor-to-sub-processor transfers.
- Module Four applies to processor-to-controller transfers.
Currently, there are two new sets of standard contractual clauses listed in the GDPR:
Set One SSCs – Contracts Between Data Controllers and Processors
Under the EU GDPR, data controllers must include standard contractual clauses in contracts as they engage with processors who handle GDPR-subject data on their behalf. Set One SSCs help to oversee GDPR compliance for data transfers to processors within the EU.
As a data controller, the EU GDPR permits you to draft unique contracts for transactions involving data processors within the EU, provided these Set One SSCs are included. And the clauses in these contracts (whether SSC or otherwise) can be expanded to meet the unique data security or business needs of controllers and processors.
Additionally, these SSCs between data controllers and processors cannot be modified, except:
- When adding information to the Annexes therein
- When updating the SSC stipulations
Moving forward, including Set One SSCs in all contracts between EU GDPR data controllers and processors will help minimize gaps in security controls that could result in data breaches.
Set Two SCCs – GDPR Data Transfers Outside the EU
The second set of standard contractual clauses helps safeguard the privacy of data transferred from controllers within the EU to processors outside it. Considering the differences in data privacy safeguards across different countries outside of the EU, the second set of SSCs ensures the personal data of EU citizens remains safe regardless of where it is processed.
These SSCs also help standardize the protections applied to GDPR data during international transfers, ensuring compliance with the GDPR requirements.
Additionally, GDPR-subject entities can freely move data across borders by leveraging SSC provisions to minimize any hindrances to international business. All the parties involved in transferring GDPR data across borders must fully understand their roles in these processes and identify the implications of SSCs on the security of these sensitive data.
Risk Management with EU GDPR SSCs
GDPR data privacy risk management requires incorporating standardized contractual clauses into business contracts between data controllers and processors.
For GDPR-subject organizations, safeguarding the privacy of GDPR data requires:
- Evaluating the SSCs included in agreements between controllers and processors to ensure the clauses are up-to-date with the current GDPR requirements
- Identifying contracts where either data controllers or processors were subject to old SSCs and modifying these clauses to meet existing GDPR standards
- Reviewing Data Processing Agreements (DPAs) established under older SSCs to ensure they meet the privacy standards of newer ones
- Increasing employee awareness about international data transfers that may be subject to the GDPR requirements
- Mapping out the routes of data transfers involving multiple parties across different countries, especially when data is processed at various international sites
- Conducting risk assessments of existing data transfers to ensure that the SSC-driven safeguards implemented are compliant with the GDPR
More importantly, any organization that handles the data of EU citizens must be aware of its role as a processor or controller. Defining your current obligations based on the GDPR requirements will help you frame the role played by SSCs in managing data privacy risks.
Safeguard GDPR Data Transfers with SSCs
Whether you’re renewing data transfer contracts with your current business partners or looking to build new relationships, SSCs will help you keep GDPR-subject data safe in the long term.
The best way to navigate the legal implications of an SSC is to leverage the expertise of an EU GDPR compliance partner like RSI Security. To get started safeguarding GDPR data during international transfers, or to learn more about how SSCs work, contact RSI Security today.