Tick-tock... did you hear that? That was the sound of a deadline passing. On December 27, 2022, the EU's GDPR standard contractual clauses (SCC) became officially binding - a call to arms for businesses around the globe. Surprisingly, numerous companies, from small startups to large corporations, are yet to embrace these changes. Could this be you?
Adopted in June 2021, the new SCC brings with it a wave of transformation to our digital world, revolutionizing how we handle data transfers, especially across borders. If you're still on the sidelines or not entirely aware of what these changes imply, you're at the right place. This post is your wake-up call - a comprehensive guide to understanding these pivotal adjustments, their impact, and why it's time for your company to join the compliance bandwagon. Read on, for the world of GDPR is shifting, and the time to act is now! Let us help you with the fine print.
The clauses introduce significant changes:
Each set of clauses contains specific provisions tailored to the individual transfer type being carried out. For example, C2C clauses may include provisions related to joint data controllership. In contrast, C2P clauses may include provisions related to data processing instructions and security measures.
It's vital for organizations to ensure they are using the correct set of clauses for their individual data transfer scenario and to verify that all obligations and requirements are being met in compliance with the EU GDPR. However, to ascertain which scenario applies in any particular data processing context, for example in the ECJ's Facebook fan page decision, can be difficult.
While the new standard contractual clauses are "ready-made" templates, they are nowhere near sufficiently safe: properly using them has also become much more difficult due to the Schrems II decision requiring an "essentially equivalent" level of data protection within third countries. Therefore, especially when using standard contractual clauses to protect a data transfer outside of the EU, it's imperative to consider essential issues:
Overall, the new EU GDPR standard contractual clauses are designed to provide excellent protection and flexibility for personal data transfers in compliance with EU GDPR requirements. Nonetheless, data transfers outside the EEA are becoming increasingly complex and risky. Therefore, we recommend looking at the FAQ provided by the European Commission.
SCC: Standard Contractual Clauses: standardized contractual clauses developed by the European Commission to ensure the protection of personal data during transfers between EU member states and third countries.
GDPR: General Data Protection Regulation: a data security directive by the European Union governing the protection of EU citizens’ personal data and introducing consistent data protection standards across the EU.
C2P: Consumer to Platform: a business relationship whereby consumers purchase services or products from a platform provided by a company.
EEA: European Economic Area: a single market allowing for the free movement of goods, services, capital and people among member states of the European Union and members of the European Free Trade Association.
EU: European Union: a political and economic union of 27 European countries promoting cooperation in various sectors including trade and law.
C2C: Consumer to Consumer: a business relationship whereby consumers directly buy or sell from or exchange products or services with each other.
P2C: Platform to Consumer: a business relationship whereby a platform sells services or products to consumers.