Standard contractual clauses for transfers of personal data

The European Commission has published draft standard contractual clauses for transfers of personal data from the European Union to third countries (new SCCs). Once approved, the new SCCs will replace the previous standard contractual clauses. It is expected that the new SCCs will be adopted by the European Commission at the beginning of 2021.

As a result, schools currently using the existing standard contractual clauses may need to replace these with the new SCCs within a year from their adoption in order to continue making international transfers of personal data to third parties located outside of the European Economic Area (EEA) in compliance with the GDPR. Schools will have twelve months from the date the new SCCs come into force to replace any existing standard contractual clauses currently being relied upon for the performance of a contract concluded between them before that date, provided the contracts remain unchanged. Where contracts containing the old standard contractual clauses are amended before this date, you will need to change to the new SCCs at the same time.

The new SCCs have specific sets of clauses that can be used not only for controller-to-controller and controller-to-processor transfers, but also for processor-to-processor and processor-to-controller personal data transfers. As well as providing safeguards within the meaning of Article 46(1) and 46(2)(c) of the GDPR, the new SCCs also set out the rights and obligations of controllers and processors. This will mean that, where controller-to-processor or processor-to-processor new SCCs are used, a separate data processing agreement will no longer be required.

At present, most controller-to-processor data processing arrangements usually require processor to sub-processor contracts to mirror the rights and obligations in the original arrangement. The introduction of direct accountability of sub-processors to controllers brings the new SCCs in line with the GDPR.

At the time of agreeing to the new SCCs, the parties must confirm that they have no reason to believe that the laws applicable to the data importer do not contradict the new SCCs. If it is determined that the new SCCs are not appropriate on their own, schools will then need to consider if any supplementary, in particular, technical measures are available which could ensure that the transferred data is afforded the level of protection required under the GDPR.

The ICO is reviewing the new SCCs but it is currently uncertain whether the government intends to adopt the new SCCs, which will are likely to be adopted by the European Commission after the end of the Brexit transition period. If the new SCCs are not adopted by the UK, the ICO may publish its own version of GDPR standard contractual clauses.

The European Commission is currently carrying out an adequacy assessment of the UK and is aiming to make a decision by 31 December 2020. If the UK secures an adequacy decision, transfers of personal data from the EEA to the UK will be able to continue as if the UK were still an EU member. In the absence of an adequacy decision, when the transition period ends, the GDPR rules for international personal data transfers will apply to any data coming from the EEA into the UK. It would be necessary to have an appropriate transfer mechanism, such as the new SCCs, in place to transfer personal data from the EEA to the UK. The UK Government has confirmed, however, that personal data transfers from the UK to the EEA will be permitted after the Brexit transition period. For schools, this means that no new arrangements will be needed for transfers from the UK to the EEA.