Who is your favourite author?
DZP alerts.
10.10.2022
Authors:
Dr Bartosz Marcinkowski
Sylwia Kuca
Practice:
Specialisations:
For years, the most common basis for legally transferring personal data from the EU to the USA, India or China has been an agreement based on the Standard Contractual Clauses developed by the European Commission (SCC).
In the Schrems II case, the Court of Justice of the European Union (CJEU) held that, although the SCC are still valid, they cannot be applied indiscriminately and those using them must assess whether the third country provides personal data protection at a European level.
And so, on 4 June 2021, the European Commission adopted a new set of SCC to ensure compliance with new legislation. Consequently, all old SCC must be replaced with new ones by 27 December 2022. In the case of large enterprises, this means hundreds and sometimes thousands of contracts having to be signed in line with the new version.
Please note that failure to implement the new SCCs by the deadline may give rise to the following risks:
The main aim of introducing the new SCC is to ensure adequate safeguards for the transfer of personal data to countries outside the EEA in the absence of a European Commission decision finding that the country has an adequate level of protection. This translates into changes to the structure of contracts and their scope of application.
Entities transferring personal data to third countries should review the basis for the transfers and, if necessary, conclude new contracts using the new SCC applicable from 27 September 2021.
In view of the current transition period ending 27 December 2022, parties that concluded contracts before 27 June 2021 may continue to use the old SCC. Still, they are required to carry out an additional adequacy assessment and implement any necessary supplementary measures as referred to in the EDPB 01/2020 recommendations.
After 27 December 2022, all data transfers based on old SCC must be changed to the new SCC.
Companies from outside the EEA importing personal data based on the old SCC should make every effort to implement the necessary changes to enable personal data to be transferred legally to third countries before the end of the transition period. In order to do so, it is necessary to identify all existing contracts used based on the old SCC and to decide whether the transfer of data described in them will continue after 26 December 2022. If it is to continue, it is crucial to set an appropriate time limit for updating.
Despite these changes and the high-profile SchremsII judgment, few international companies are aware of the seriousness of the situation. It is therefore worth enlisting the help of qualified legal advisers to guide companies through the rigorous process.
Our specialist team advises clients on personal data protection.
We support our clients in, e.g.: