International Data Transfers - SCC deadline!

As a lot of organizations are struggling with international data transfers, I thought it would be a great idea to guide you through the different options! First things first of course. When an adequacy decision is granted to a certain region/country, you can transfer personal data to that specific country/region outside of the EEA. In case no adequacy decision is granted there are other mechanisms that might be considered:

?Standard contractual clauses

As from 27 September 2021, organizations need to use the new SCCs. With the only exception of existing international data transfer agreements. They have a transition period until 27 September 2022!

Standard contractual clauses (SCC’s) are standard sets of contractual terms and conditions which the exporter and the importer of personal data both sign up to, aimed at protecting personal data leaving the EEA.

Currently there are four modules of SCC’s issued by the European Commission directed at the transfer of personal data from: Controller to controller, Controller to processor, processor to processor and processor to controller. (Link)

When choosing to rely on standard contractual clauses companies will need to make sure that the SCC’s are supplemented with the necessary measures in order to make sure they can be lived up to.?On 18 June 2021 the EDPB adopted the recommendations 01/202 on measures that supplement transfers tools to ensure compliance with the EU level of protection of personal data! If you want to be sure that your organizations is covered you will need to follow the next steps:

-??????Step 1: Know your transfers

-??????Step 2: Identify the transfer tools you are relying on

-??????Step 3: Assess whether the article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer.

-??????Step 4: Adopt supplementary measures (e.g. TOMs, contractual measures,…)

-??????Step 5: Procedural steps if you have identified effective supplementary measures

-??????Step 6: Re-evaluate at appropriate intervals

Binding Corporate Rules

For a multinational group of companies, another option would be to draft Binding Corporate Rules (“BCR’s”).?BCR’s are legally binding and enforceable internal rules and policies for data transfers within the group of companies allowing to transfer personal data from the EEA to affiliates located outside of the EEA in compliance with GDPR. Binding corporate rules must be approved by the lead supervisory authority, following an opinion of the EDPB.?

?Art 49 derogations

In accordance with article 49 GDPR certain types of data transfers can be executed pursuant to specified derogations. It must be underlined however that these must be treated as what they are, namely ‘derogations. This means that they can only be applied as an exception to the rule of having to put in place appropriate safeguards or transfer the data based on an adequacy decision.?They must thus be interpreted restrictively, can only relate to processing activities that are occasional and non-repetitive and shall take place in accordance with the conditions that are foreseen for them.?

?Codes of Conduct and certification mechanisms

Although there is little evidence of their actual use today,?GDPR recognizes Codes of Conduct and certification mechanisms as being a valid mechanism for the transfer of personal data outside of the EEA.

Storage and processing of personal data within the EEA

Last but not least?companies should consider re-evaluating their transfers to outside the EEA as to determine whether these transfers are really necessary?(i.e. is there a possibility to replace them by an EEA alternative?) or at least do a data minimization exercise.