What You Need To Know About The New SCCs

By now, any new agreement you’ve entered since September 2022 to transfer data outside of the EEA should have adopted the new Standard Contractual Clauses (SCCs).

But what about your existing agreements? If you’ve been relying on your existing agreements to transfer personal data outside the EEA, this blog will cover everything you need to know about the upcoming deadline on 27 December 2022.

When do you need to include SCCs?

SCCs need to be used whenever personal data is being transferred from the EU to any non-EU country, unless the European Commission has deemed the data protection legislation in that jurisdiction to be adequate. So far the list of adequate countries includes Canada, Japan, Switzerland and the UK. For the full list of adequate countries, click here.

Background

In June 2021, the European Commission introduced new SCCs to improve on the old SCCs making them easier to use for businesses. One of the key improvements made was to incorporate modularity. Now, instead of having different SCCs for different relationships between exporters and importers (e.g. controller to processor or controller to controller), you can apply modules according to the relationship in question.

From 27 September 2021 onwards, all new contracts that you entered into had to include the new SCCs.

By 27 December 2022, all of your existing data sharing agreements must have adopted the new SCCs. This impacts any agreement entered into before 27 September 2021 which remains live, including intra-group agreements.

What do I need to do?

You’ll need to remediate impacted agreements to replace the old SCCs with the new ones. In some cases, that might simply involve sending a notification to the counterparty, but you may also be required to negotiate and sign a contract change notice.

How can oneDPA help?

With constant regulatory changes, we know how difficult it can be to keep up - particularly around the day job. That’s where oneDPA can help. Following the success of oneNDA, oneDPA is an industry-standard DPA developed with lawyers from leading organisations and law firms and the legal community at large). Beyond saving you a lot of time negotiating as a recognised industry-standard, oneDPA is - and will remain - completely up-to-date in terms of UK and EU regulatory compliance, allowing you to leverage industry expertise to always keep your data sharing arrangements compliant. To find out more on how to adopt oneDPA for free, click here.

Anything else I should know?

In this day and age, we know that you’re most likely transferring data between a multitude of different countries. To help you stay compliant, we’ve mapped out various data sharing scenarios in our oneDPA flowchart.

Need a hand?

Get in touch today at hello@tlb.law if you want to discuss how we can help you amend your SCCs.