How to use Standard Contractual Clauses
| Jelle Hoekstra |
When you process personal data outside of the reach of the General Data Protection Regulation (GDPR), additional safeguards are required to ensure the same level of data protection as in Europe. One of the ways to do this, is by using a model contract approved by the European Commission: the so-called standard contractual clauses (SCCs). On the 4th of June 2021, new standard contractual clauses have been adopted by the European Union. The new SCCs require parties to perform and document an assessment with regard to the planned data transfer. This assessment is called a ‘data transfer assessment’ or a ‘data transfer impact assessment’. In this article, we’ll explain the contents of this assessment.
Is it possible to use U.S. based cloud services as a European company? Yes, but there is an assessment and some paperwork to be done. After the Shrems II case and the new standard contractual clauses, it is no longer enough to just sign a contract: an assessment or due diligence of parties you transfer data to is needed.
On the 16th of July 2020, the European Court of Justice decided upon a case against Facebook Ireland Ltd’s, brought upon the court by privacy activist Maximilian Schrems. This case, also known as Schrems II, made the EU-U.S. Privacy Shield as a method for international data export invalid. As a result of Schrems II, international data transfers must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected (e.g. because of potential access by law enforcement or national security agencies). This Transfer Impact Assessment has, a year later, been incorporated in the new standard contractual clauses adopted by the European Union on the 4th of June 2021.
Contents of the assessment
The following topics have to be addressed in the Data Transfer Assessment:
- Description of the service / Analysis of the specific circumstances of the transfer (more specific: length of and actors involved in the processing chain, categories of personal data and data subjects, storage location, transmission channels and formats);
- Analysis of relevant laws in the third country relevant for safeguarding the data (for example with regard to disclosure of data to public authorities);
- Any relevant contractual, technical or organisational safeguards put in place.
Make sure it is a formal assessment with a conclusion, date and signature on it. Official endorsement by the legal representative of the data-exporter is mandatory as well.
Drafting your SCCs
The SCCs are published on the website of the European Union. The model clauses themselves are not easily accessible though, because they are spread out in 4 different annexes. There is a Q&A that is somewhat helpful. To help organisations assemble the right contracts, there are several practical SCC generators available:
- SCC Generator from Essential Guarantees (questions and results in English)
- SCC Generator from JuriBlox (they also provide a SCC generator with Dutch questions, results are always in English)
Contact us you have any further questions with regard to data transfers to third countries such as the U.S. We are happy to help you with your data transfer (impact) assessment or other questions with regard to international data transfers.
Jelle Hoekstra LLM is consultant and mediator at ICT Institute. He is a certified privacy professional (CIPP/E & CIPM), security consultant (ISO27001 Lead Auditor) and IMI Qualified Mediator. Before he worked at several organisations as legal advisor and Privacy & Security Officer. Jelle is member of the International Association for Privacy Professionals (IAPP), the Dutch association for Data Protection Officers (NGFG, Nederlands Genootschap voor Functionarissen van Gegevensbescherming) and member at the International Mediation Institute (IMI).