Written by: Audrey Malaise

Tic tac tic tac! 27^th of December is coming up! 

Is your organisation using a US-based provider? Do you work via Teams with your colleagues? Is your helpdesk located in Asia? Do you use Google Analytics on your website? Or maybe your cloud provider is located outside of the European Economic Area? If your answer to any of these questions is yes, then you might want to read the following blogpost to avoid violation of the GDPR.

What are International data transfers? 

In today’s world, there are very few organisations that process all their personal data in the same country they are established in, and if they do, chances are big that one or their processors does not.

A transfer of personal data, if made within the European Economic Area (hereafter “EEA”), doesn’t require any additional measures. However, if the processing is done outside the EEA, it is considered as an international data transfer and some additional measures must be taken.

In addition to countries within the EEA, the European Commission established a list of countries providing an adequate level of protection, meaning that they offer a level of data protection sufficient with regard to the GDPR.

This list consists of Andorra, Argentina, Canada (commercial organisation), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED and Uruguay. For more information, see: adequacy decisions.

You might want to double check if all your processing is based in the EEA or in one of those countries that are considered adequate or ‘safe’. Indeed, often, a helpdesk, support, debugging team, escalation of problem, call center etc. are located outside these countries. In this case, the personal data you process is subject to an international data transfer.

The most used mechanism for international data transfers, is the integration of Standard Contractual Clauses (hereafter “SCCs”) in your contracts.

What are Standard Contractual Clauses (or SCCs)? 

Standard Contractual Clauses are a mechanism that provide appropriate safeguards in case of international data transfers, as described in Article 46 of the GDPR. These clauses dictate the appropriate measures that will be taken by both the data exporter and the data importer to provide an adequate level of protection to the personal data processed internationally.

A new set of SCCs 

In June of 2021, the European Commission adopted a new set of Standard Contractual Clauses. These modernised clauses, based on the GDPR, remain applicable for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

Steps to be taken to comply with the new SCCs.

1. Assess your international data transfers

The first step is to identify the international data transfers. This is the case when:

• Your providers have access to personal data from outside the EEA;
• You have foreign (outside the EEA) affiliates that have access to personal data;
• You send or receive personal data to/from customers (…);
• This provider, foreign affiliate and/or customer is based in a country outside of the EEA and they are not a country outside the EU that offer an adequate level of protection.

If this is the case, you need to ensure that the proper measures are taken to remain compliant.

2. Update your contracts

In case of international data transfers with a country that is not recognised as providing an adequate level of protection, your data processing agreement should compensate for the lack of sufficient protection.

This new deadline is the perfect occasion to check that your contracts include the necessary SCCs and, if so, that those are the new set of SCCs. Your organisation should reach out to their providers, affiliates and/or customers to modify the agreements in that sense.

3. Perform a transfer impact assessment

Including SCCs to your contracts is not sufficient to be compliant with the GDPR. You must perform transfer impact assessments (hereafter “TIAs”) for these processing activities that occur outside of the EEA. These assessments are meant to evaluate the level of protection of the transfer and determine if the use of a transfer mechanism (notably SCCs) is sufficient.

When should you update your SCCs? 

As soon as possible. Since the 21^st of September 2021, all new contracts concluded should include the new set of SCCs. But as for any major change, the European Commission had foreseen a transition period. To give organisations enough time to update their contracts that included the previous set of SCCs, the European Commission has foreseen a transition period.

The transition period comes to an end and the deadline is nearing fast: note December 27^th 2022 in your agendas. Until then, organisations can still rely on the previous SCCs to lawfully transfer personal data to third countries. After this date, you need to ensure that you take appropriate measures to ensure your organisation remains compliant in 2023.

What are the risks if you don’t update your SCCs? 

The obvious risk relates to fines. As for any type of violation of the GDPR, the absence of a proper mechanism for international data transfer (i.e. the absence of valid SCCs), can lead to an investigation by a supervisory authority and the fining of your organisation.

Another risk to be considered relates to your reputation and commercial relations. As privacy has gained more and more consideration in the public eye, organisations don’t want to look like they don’t care about data protection. Having outdated SCCs will make it look like you don’t give data protection the importance it deserves.