The FAQs published by the European Commission on the new Standard Contractual Clauses clarify aspects related to the proper use of SCCs to regulate transfers of personal data outside the EEA.
There is no major news in the FAQs of the European Commission on the new Standard Contractual Clauses, but it is important that they have emphasized key concepts that I summarize below
- SCCs are non-negotiable and cannot be changed. One can only fill in the sections left blank and decide between the different options available;
- It is possible to include additional provisions that complement the SCCs, but they must not conflict with the SCCs, which in any case prevail. This is an important issue for e.g., limitation of liability clauses that providers seek to include as part of the negotiation, but which, according to the European Commission, cannot limit liability arising from violation of the SCCs;
- Sub-processors must be specifically identified by naming them, even if general authorization is opted for, and they cannot be referred to as a general category;
- The new SCCs cannot be used for data transfers performed by a data exporter that is not in the EEA but is subject to the SCCs. New SCCs will be adopted to govern this scenario, which is obviously puzzling because it is not clear what solution should be adopted in the meantime;
- The SCCs are not sufficient to ensure compliance of a transfer with the GDPR, but a transfer impact assessment must be carried out that will have to take into account the legislation of the non-EEA countries where the data are transferred and the peculiarities of the specific transfer, again contradicting the position of some European guarantors who required a TIA to be carried out that analyzed the situation in the abstract
- The law governing SCCs must be from an EU country (thus not the UK) with the exception of Module 4, which can also be governed by non-EU legislation;
- It is necessary to switch to the new SCCs and can no longer rely on the old ones as of September 27, 2022.
We recently ran a survey on the status of the data protection compliance in Italy and 36% of the surveyed companies (from 51% resulting from last year’s survey) have not even begun to perform a transfer impact assessment on the adequacy of personal data transfers outside the EEA. Besides some companies responded that they are not even aware of how to run it.
We are supporting several companies in the performance of the transfer impact assessment also with the support of the DLA Piper legal tech tool and methodology named transfer. You can read a brief presentation on the topic HERE.
On a similar topic, you can find interesting the Infographic – How to use the new Standard Contractual Clauses to regulate data transfers.