On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data to countries outside the EU/EEA (third countries) once the current SCCs are repealed.
What are EU Standard Contractual Clauses
EU standard contractual clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection for the transfer of personal data to a third country. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor.
Where personal data is transferred from:
- A data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
- A SaaS supplier within the EU to a sub-processor located outside of the EEA;
the SaaS supplier will need to enter into EU standard contractual clauses with the SaaS customer or SaaS sub-processor, as applicable.
When EU standard contractual clauses are included in a SaaS agreement, the requirement to provide adequate protection for the data being transferred will be met and no specific consent will need to be obtained from individual data subjects.
This is a common scenario in a SaaS agreement where a SaaS customer based in the EU is accessing SaaS software provided by a SaaS supplier who uses a hosting centre in the USA or outsourced IT development centre located in India or Asia to process the SaaS customer’s personal data.
When must the new SCCs be used
The current SCCs may only be used for a period of 3 months once they come into force on the 27th of June 2021 (publication). This means that SaaS suppliers and SaaS customers can continue to use the old SCCs for all existing and new SaaS contracts for the time being. However once the new SCCs come into force, the new SCCs must be used:
- 3 months later for all new SaaS contracts; and
- within 18 months for all existing SaaS contracts.
Adapting the new SCCs
The structure and content of the SCCs has changed. The SCCs are no longer a “standard template” which can be added unaltered as an appendix to a SaaS agreement. The new SCCs use a modular approach. The new SCCs must be substantially customised by adapting and removing any modules that do not apply. There are now 5 annexes that need to be customised and the total length of the SCCs is over 35 pages.
Transfer of data from the UK
The new SCCs are specific to transfers of personal data from the EU to third countries. They do not cover transfers of UK personal data to third countries as the UK is not an EU Member State. UK based SaaS suppliers and SaaS customers will need to use a UK version of the new SCCs for transfers of personal data from the UK to third countries – once this is created by the UK data protection supervisory authority (ICO).
Adapting and implementing the new SCCs
SaaS customers and SaaS suppliers need to take the following steps to enable them to adapt and implement the new SCCs:
- create a data mapping of all personal data transfers;
- carry out a transfer impact assessment and document this;
- adapt each module of the new SCCs in light of the above;
- customise the annexes for use with different types of controllers and processers i.e. customers, suppliers, agents and intercompany transfers;
- use the new SSCs for all new SaaS agreements with customers and suppliers entered into from the 27th of September 2021; and
- change all existing SaaS agreements with cusotmers and suppliers to incorporate the new SCCs by the 27th of December 2022.
Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – FAQs – EU Standard Contractual Clauses
- SaaS Agreements – GDPR – EU-US Privacy Shield Invalid
- SaaS Agreements – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – GDPR – Data Processing Agreement
- SaaS Agreements – GDPR – US companies