January 27, 2023

Volume XIII, Number 27

Advertisement

January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

Deadline: ‘Old’ Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

Go-To Guide:

  • SCCs must be replaced with new version before year-end

  • In addition to the SCCs, a Transfer Impact Assessment (TIA) will need to be conducted

  • Certain EEA and non-EEA companies involved in the sharing of personal data must comply with this deadline

  • Changes are pursuant to European Court of Justice Schrems II decision

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA). To avoid compliance risks associated with illegal transfers of personal data, any old SCCs should be updated to their newer version immediately.

Who Is Affected?

Mainly, the following entities are affected:

  • any EEA company (or other entity) that is part of a global group of companies and shares personal data (e.g., HR data) with non-EEA members of that group, and cannot rely entirely on other legitimation for such data transfers pursuant to the General Data Protection Regulation (GDPR);

  • any EEA company (or other entity) that receives services or otherwise has vendors from outside the EEA where such services imply any sharing of personal data which cannot entirely be based on other legitimation for such data transfers pursuant to GDPR;

  • any non-EEA company (or other entity) that is part of a global group of companies and receives personal data (e.g., HR data) from EEA members of that group, and cannot rely entirely on other legitimation for such data transfers pursuant to GDPR;

  • any non-EEA company (or other entity) that provides services or is otherwise a vendor to an EEA entity where such services imply any sharing of personal data which cannot entirely be based on other legitimation for such data transfers pursuant to GDPR;

  • any EEA company (or other entity), or any non-EEA company (or other entity) which previously signed SCCs to legitimize the sharing or the transfer of personal data, and where such SCCs have not yet been replaced by, or in first place been entered into according to, the most recent form for SCCs provided by the EU Commission in 2021.

  • Note that not just cross-border sharing/transfer is affected, but also onward transfer outside the EEA.

Please note: “EEA” includes the member states of the EU plus Iceland, Liechtenstein, and Norway.

Why SCCs?

SCCs are certain standardized contract clauses that legalize personal data transfers to, or data sharing with, entities established in countries outside the EEA. They are one way to legalize such data transfer to, and within countries that the EU Commission has not recognized as having a comparable standard of data protection as the EU (the list of countries granted such approval includes, inter alia, the UK, Japan, Canada, South Korea, Switzerland, Israel, and New Zealand). While there are other means to legalize such data transfers (e.g., so-called “binding corporate rules”), SCCs are easy to use by companies of all sizes and therefore most common.

What Happened?

Following a July 16, 2020, European Court of Justice (ECJ) ruling (“Schrems II”), the EU Commission published and adopted a new version of the SCCs on June 4, 2021 (see GT Alert). Use of these “new” SCCs has been mandatory for new contracts since Sept. 27, 2021. “Old” SCCs entered into before that date remain valid until Dec. 27, 2022. However, starting from Dec. 27,2022, personal data transfers to “unsafe” countries outside the EEA may only be based on the new SCCs.

Also, the new SCCs require a “Transfer Impact Assessment” (TIA), in which the data exporter assesses the concrete risks of a given transfer, and if the exporter identifies significant risks, additional measures that ensure the safety of the data must be implemented.

Considerations for Before the Deadline Expires

If you have already entered into old SCCs, identify which (cross-border or onward) data transfers require the new SCCs.

If you have not concluded any SCCs, identify data transfers to or within “unsafe” third countries that require the new SCCs (or other means to legitimize the transfer).

In both cases, contact your contracting party to conclude new SCCs.

In both cases, ensure that a TIA is conducted and documented regarding each such data transfer.

To the extent your contract also involves a cross-border or onward transfer of UK personal data, consider including the UK International Data Transfer Agreement or the UK International Data Transfer Addendum to the EU’s SCCs.  Although organizations have until 21 March 2024 to update contracts involving UK personal data that rely on the old SCCs, including the new UK transfer mechanisms now could prevent yet another round of contract updates in 2024.

©2023 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 336
Advertisement
Advertisement
Advertisement

About this Author

Viola Bensinger, Greenberg Traurig Law Firm, Germany, Cybersecurity Litigation Attorney
Partner

Viola Bensinger chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media and healthcare industries.

Within the technology sector, Viola advises international internet, technology and healthcare companies in the areas of digital products, e-commerce, electronic payment, data protection, software licensing, (IT-) outsourcing as well as digital media.

49 -030700-171-150
Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney
Counsel

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution,...

490-30700-171119
Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data
Shareholder

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of...

415.655.1319
Advertisement
Advertisement
Advertisement