The new EU Standard Contractual Clauses (new SCCs) must now be used by all SaaS suppliers and SaaS customers who transfer personal data from the EU to countries outside the EU/EEA (third countries) as the old SCCs (old SCCs) were repealed on the 27th of September 2021. Below is a summary of the changes and measures that SaaS suppliers and SaaS customers need to take to adapt and implement the new SCCs.
What are EU Standard Contractual Clauses
EU standard contractual clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection for the transfer of personal data from the EEA to a third country – known as a restricted transfer. Until the 27th of September 2021 there were two sets of standard contractual clauses: (i) for transfers of personal data between data controllers; and (ii) for transfers between a data controller and a data processor.
New SCCs must be used where EU personal data is transferred from:
- A data controller (SaaS customer) to a data processor (SaaS supplier) located outside of the EEA; or
- A SaaS supplier (data processor) transfes EU personal data to a sub-processor located outside of the EEA;
The SaaS supplier will need to enter into the new SCCs with the SaaS customer or SaaS sub-processor, as applicable.
When must the new SCCs be used?
From the 27th of September 2021 all new data processing agreements with customers and suppliers (including inter-company agreements) must use the new SCCs. SaaS suppliers and SaaS customers can continue using the old SCCs for existing agreements until the 27th of December 2022. On or before the 27th of December 2022 all old SCCs must be replaced with the new SCCs.
How are the new SCCs different?
The new SCCs cover 4 different types of transfers:
- controller to controller;
- controller to processor;
- processor to processor;
- processor to controller.
SaaS suppliers and SaaS customers must adapt and customise the 4 modules as required for each customer, supplier or inter-company data transfer, as applicable.
No separate DPA required
The new SCCs include all of the provisions that must be included in a written data processing agreement under Article 28 of the GDPR. This means that the new SCCs can be used without the need for any additional DPA. However, SaaS suppliers and SaaS customers should still have an overarching data transfer agreement that the new SCCs form a part of, in appropriate cases, as the new SCCs have very onerous provisions that should only apply to transfers of EU personal data.
Obligations of the Parties
Each of the 4 modules sets out the different data protection obligations of the parties which will need to be customised for each applicable module, or deleted if a module does not apply.
Specific technical and organisational measures (TOMs) must be described in Annex II of the new SCCS, clearly indicating which specific measures apply to each transfer.
Competent Supervisory Authority
The data importer agrees to accept the authority of the competent data protection authority named in Annex I of the new SCCs, respond to its enquiries, comply with the measures adopted by the data protection authority and submit to audits by the data protection authority.
The data protection authority of the data exporter, not the data importer will be the competent supervisory authority.
Where the data exporter is not located in the EU, but is subject to the GDPR the supervisory authority will be that of:
- the country in which the data exporter’s EU representative is established; or
- the EU country in which the data subjects whose personal data is transferred are located, where no EU representative is required under the GDPR.
Local Law Assessment and Documentation – Schrems II
The data exporter and data importer must warrant that they have completed a data transfer assessment (DTA) of the local laws in the third country to which EU personal data will be transferred, where SCCs (of BCRs) are relied upon as the lawful basis for the transfer. They must also warrant that they have no reason to believe that such laws would prevent the importer from complying with their obligations under the new SCCs.
The parties must document this DTA (known as a “Schrems II assessment”) and make the DTA available on request, to a data protection supervisory authority.
Access by Public Authorities
Data importers must comply with the contractual obligations set out in the new SCCs if they receive a binding request from a public authority for disclosure of personal data. This includes notifying the data exporter, documenting responses and requests, providing periodic reporting to the data exporter, and challenging requests, if the data importer determines that any access request is unlawful.
Third Party Beneficiaries
Data subjects can make direct claims and complaints against the data importer for breaches of the new SCCs.
The data exporter and data importer are jointly and severally liable for breaches of the new SCCs. Each party is also liable to the other and data subjects for breaches of the new SCCs.
These are only permitted where the third party receiving the personal data signs the new SCCs or is established in a country that is “adequate”, such as the UK.
What about the UK
The new SCCs cannot be used for UK personal data. The old SCCs adapted by the UK Data Commissioner(ICO) must be used in relation to all UK personal data.
Implementing the New SCCs
In order to implement the new SCCs SaaS suppliers and SaaS customers need to:
- carry out a data mapping exercise to identify all personal data transfers;
- carry out and document a Schrems II data transfer assessment for each transfer using SCCs or BCRs;
- review and amend their technical and organisational measures used for protecting personal data transferred to third countries;
- identify and review all existing contracts and template agreements that involve the transfer of EU personal data to a third country;
- amend all exisitng DPAs to incoporate the new SCCs;
- adapt and customise the new SCCs and their Annexes for transfers to and from customers, suppliers and inter-group companies;
- use the new SCCs for all new contracts entered in from 27th of September 2021;
- replace the old SCCS with the new SCCS in all existing contracts by the 27th of December 2022.
Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Data Protection – Schrems II Data Transfer Assessments
- SaaS Agreements – Data Protection – New Standard Contractual Clauses
- SaaS Agreements – FAQs – EU Standard Contractual Clauses
- SaaS Agreements – GDPR – EU-US Privacy Shield Invalid
- SaaS Agreements – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – GDPR – Data Processing Agreement
- SaaS Agreements – GDPR – US companies