The deadline for signing old Standard Contractual Clauses (SCCs) into new contractual agreements is approaching. In June 2021, the European Commission adopted their modernized SCCs giving organizations a three-month transitional period to begin introducing the news SCCs into contractual agreements. This period ends on September 27, 2021, meaning that beyond this date the European Commission’s new SCCs must be used. However, existing contracts including the old SCCs will remain valid until December 27, 2022. After that point, they will need to be updated with the new SCCs.
The September 27 deadline means that organizations need to update all new contracts that involve data transfers to include the modernized SCCs as well as have a framework in place to conduct transfer impact assessments (TIAs) and assess supplementary measures to ensure the adequate protection of the personal data being transferred. In this blog, we will explore some of the tools and processes that organizations should consider ahead of this deadline and how these can set you up for success moving forward.
Register for the webinar: Prepare for the Schrems II September Deadline on September 21 at 11 AM EDT
What is a Transfer Impact Assessment (TIA)?
At the time of adoption, the European Commission stated that the modernized SCCs will offer greater legal predictability for organizations. Organizations continue to bear a responsibility to assess whether the SCCs remain effective considering all circumstances of the transfer. As such, a TIA should be performed to examine the legal framework of the third country that the data is being transferred to, as well as the law’s practical application, and the availability of access requests from government agencies. Performing a TIA will assist organizations by giving them a greater understanding of the legal landscape of the destination country. It will also provide insight into whether the personal data being transferred can be adequately protected by SCCs or whether supplementary measures are necessary to ensure essential equivalence.
What Should I Include in a TIA?
Before performing a TIA, organizations should first know their data transfers and should consider the data importer, the third countries involved, and the transfer tool being relied on. By mapping and understanding data transfers, organizations can gain a clearer view of where TIAs are applicable and can help form part of an assessment framework.
When performing a TIA, organizations should examine:
- The legal framework of the third country
- The practical application of existing privacy law in the third country
- If access requests can be made by government agencies in the third country
- Whether mechanisms are in place for organizations to refuse government access requests
- Whether legally binding international conventions (e.g. Convention 108) have been entered into by the third country
- Whether an independent supervisory authority for privacy and data protection has been established
- If the existence of legal remedies for data subjects to exercise their rights have been established and the extra-territorial scope of these remedies
OneTrust offers a range of Schrems II solutions including TIA templates to help assess third countries and identify those without adequate protection and users can also access thousands of pre-filled vendor TIAs in the OneTrust Third-Party Risk Exchange. Data Importers can automatically respond to TIAs as well as build a library of answers that are autocompleted using AI, NLP, and ML technology. Data Importers can also upload a trust file to the OneTrust Third Party Exchange to help streamline the process for exporters.
Learn More: OneTrust Third-Party Risk Exchange
What Supplementary Measures Can I Implement?
Having conducted a TIA, organizations can identify whether supplementary measures are necessary to ensure an essentially equivalent level of data protection to that found under the GDPR. If the TIA highlights that supplementary measures are necessary, organizations can consider implementing one or more of the following measures as outlined in the EDPB’s recommendations:
- Split processing
- Contractual obligation to use specific technical measures
- Transparency obligations
- Empowering data subjects to exercise their rights
In the event that supplementary measures must be implemented, the data exporter is responsible for assessing the effectiveness of the measure on the specific circumstances of the transfer and should consider whether multiple supplementary measures are necessary. In some cases, such as when intending to modify the SCCS, the relevant supervisory authority should be consulted before the transfer takes place.
Conclusion: Prepare for the Schrems II SCC Deadline Now
The European Commission’s September 27 deadline is fast approaching, and organizations should be prepared to implement the new SCCs into all contracts involving third-country data transfers moving forward. Unfortunately, the new SCCs will not be a silver bullet for organizations that will also need to consider their transfer impact assessment framework and the supplementary measures that they may have to rely on. OneTrust offers a wealth of solutions including TIA templates and a library of supplementary measures to help businesses get their transfers on track for September 27. Request a demo to learn more about how OneTrust can help or register for the webinar Prepare for the Schrems II September Deadline on September 21 at 11 AM EDT.
Further reading for the Schrems II SCC Deadline:
- OneTrust DataGuidance News: EU: New draft SCCs from the Commission
- OneTrust DataGuidance Blog: The Definitive Guide to Schrems II
- European Commission Official Text: Standard Contractual Clauses for International Transfers
- EDPB Recommendations: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data