Data Protection Consultation at KINAST
Standard Contractual Clauses
In a globalized economy, data knows no borders. It flows freely between countries, often without the knowledge or consent of the people it belongs to. This poses unique challenges when it comes to data protection. Standard Contractual Clauses address these challenges.
What are Standard Contractual Clauses?
Standard Contractual Clauses (SCCs) are a mechanism ensuring appropriate data protection safeguards under the GDPR, which can be used as a ground for data transfers from the EU to third countries. Pursuant to Art. 46 (2) lit. c GDPR, they are adopted by the European Commission in accordance with the examination procedure referred to in Art. 93 (2) GDPR.
On June 4th, 2021, the European Commission issued modernized SCCs for data transfers from controllers or processors in the EU/EEA (which are subject to the GDPR) to controllers or processors established outside the EU/EEA. In terms of content, they take into account the GDPR as well as the so-called “Schrems II” ruling of the European Court of Justice of July 16th, 2020. Due to extended obligations imposed on both data exporters and data importers, they contribute significantly to ensuring an adequate level of data protection for data transfers to third countries.
Do you need an External Data Protection Officer?
Five steps to compliance:
Introduction of your company and KINAST as well as the relevant contact persons. Discussion of the current data protection setup and most important data protection topics.
We conduct data protection audit on-site or based on questionnaires to evaluate the current data protection status of your company.
Document the current data protection status and define further required actions if necessary.
We carry out all necessary measures identified during the data protection audit.
Designation as External data protection officer and on-going consultation starting from day 1.
Standard Contractual Clauses in action
As an example, the new Standard Contractual Clauses played a major role during a consultation with a large industrial company. The company undertook a large global marketing campaign, influenced by specific data protection requirements in 38 countries.
Since most of the client’s legal entities are located in third countries, these international data transfers had to be secured, among other things, by concluding the new SCCs. For this purpose, we prepared a contract amendment which incorporated the new SCCs. This contract was then signed by all data importers and data exporters in third countries.
In adition, our data protection lawyers also ensured supplemental consultation to explain the background of these changes and the additional requirements associated with them.
Related legal topics:
How do we guarantee your data protection compliance in your international company or corporation?
If required, we can act as your External Data Protection Officer. To guarantee a timely and cost effective execution of necessary data protection measurements, we’ve developed our own concept based on a three-point plan:
As a first step, we carry out a risk assessment in your company. We carry out the risk assessment either on-site or remotely. Based on the findings, we prepare a report that documents the degree of compliance with data protection standards. Furthermore, the report identifies any vulnerabilities, proposes suitable measures to remedy those vulnerabilities, defines responsibilities and sets a timetable for the implementation of these measures.
In a next step, we implement any measures which we identified within the framework of the risk assessment. Whereby great importance is attached to binding your internal resources as little as possible.
Finally, as an External DPO, we permanently support your company regarding all aspects of data protection. Therefore, we ensure an ongoing compliance with legal standards, the adaptation of procedures to the requirements of new laws and the consideration of current changes in internal processes.
Why KINAST should be your first choice for implementing new Standard Contractual Clauses
Our team is composed of legal professionals who have both the historical background and theoretical knowledge, as well as the ability to apply it in practice and in the specific client-related case. We assist in drafting and amending contracts to include or update the new SCCs, in implementing requirements, as well as guarantee goal-oriented advice to keep our clients aware of the future and ensure the conformity of their data processing activities with applicable data protection law.
Do you need legal guidance with Standard Contractual Clauses?
Data protection law, especially on the international stage, can be a legal minefield. Our experienced lawyers and data protection officers are here to help. KINAST Attorneys at Law are specialised soley in data protection and we’ve been advising international groups and corporations since before GDPR laws came into effect. We guarantee that your company is in the safest hands.
So why not contact us today for a free, no obligation consultation?
Send this page to a colleague?
Frequently asked questions
We understand that many clients still have questions about Standard Contractual Clauses and even the services offered at KINAST. We’ve answered some of the most frequently asked questions here. If you have more specific or specialist questions, feel free to contact us, and one of our Lawyers or Data Protection Officers will get back to you as we can.
The new SCCs replace the old SCCs that were adopted under the previous Data Protection Directive 95/46/EC. Since September 27th, 2021, it is no longer possible to conclude contracts incorporating these old SCCs. Until December 27th, 2022, controllers and processors can continue to rely on those old SCCs for contracts that were concluded before September 27th, 2021, provided that the processing operations that are the subject matter of the contract remain unchanged. After this date, international data transfers may only be based on the new SCCs, which must therefore be concluded by the end of the year.
Yes, also the UK has recently published their own SCCs. The documents consist of the International Data Transfer Agreement (IDTA), which should replace the (old and new) EU SCCs, the International Data Transfer Addendum (Addendum), which complements the new EU SCCs, as well as transitional provisions with regard to the UK Transitional Standard Clauses (published as short term measure following the BREXIT). The documents were issued under Section 119A of the Data Protection Act 2018.
It is worth noting that China is currently preparing to implement their own SCCs as well. The long-awaited draft provisions were circulated pursuant to Art. 38 of the Personal Information Protection Law and have already been released for public consultation. They are similar to the EU SCCs, but also reflect some peculiarities. However, a few issues are still unresolved and the draft is currently under intense discussion. A final version is now to be awaited.
According to Clauses 14 and 15 of the SCCs, it must be verified whether the conclusion of the SCCs can guarantee a sufficient level of data protection in the recipient country. In this regard, the obligation to conduct a Transfer Impact Assessment (TIA) arises directly from the SCCs. The TIA is an internal risk assessment for data transfers to (insecure) third countries. In the course of the assessment the security level of the respective third country to which data is to be transferred must be assessed, appropriate (additional) safeguards implemented and, assurance given that adequate protection of personal data is guaranteed.
With regard to third-country data transfers from the UK to third countries, a TIA as mentioned above is also necessary, however it is called Transfer Risk Assessment (TRA) and can be conducted following the guideline provided by the Information Commissioner’s Office (ICO).
The content of the SCCs may not be changed insofar as a softening of the regulations is excluded. Tightening and additions to the regulations are of course possible as long as they do not contradict the purpose. Furthermore, for an effective conclusion, both the entire text of the clauses must be included (in particular, footnotes) and signed by the respective parties.
In principle, both a combination of a DPA and SCCs as an annex (with the SCCs taking precedence in the event of conflicting clauses) and the sole use of only the SCCs are possible. In this respect, it is an individual company decision.
The advantage of the SCCs is that they can be concluded quickly and without problems due to their unchangeability. An additional DPA, however, offers the advantage that it can contain more extensive regulations or individualizations, which it does in many cases.