undefined

 


Charlie Bromley-Griffiths, Corporate Counsel at Conga

27 December 2022 is the looming deadline in which a new mandate by the European Commission will be enacted, requiring all existing contracts by businesses within the EU and EEA to be updated in compliance with Standard Contractual Clauses (SCC). 

Companies processing cross-border data transfers from the European Union (EU) / European Economic Area (EEA) to third countries must update existing contracts to reflect the new SCCs issued by the European Commission on 4 June 2021. This stems from the decision issued by the Court of Justice of the European Union (CJEU) in July 2020, which impacts how companies transfer personal data outside the EU/EEA. 

This decision is often referred to as ‘Schrems II’; it requires businesses to carry out country and transfer risk assessments before transferring data from the EU/EEA to countries which are not deemed ‘adequate’, i.e. do not offer an adequate level of protection under the General Data Protection Regulation (GDPR).

SCCs: an explanation and how Schrems II fits in

SCCs are model contract clauses that are pre-approved by the European Commission for use in contracts. SCCs were updated in light of the GDPR obligations around data protection and data transfers outside the EU/EEA. Contract wording for SCCs can be accessed from the European Commission’s site.

Schrems II is the judgement that obligates companies to verify the privacy protection in the recipient country when relying on SCCs, to be compliant with international data transfer regulation. It is named after a case, centred around privacy, brought by Maximilian Schrems.

What has changed? 

SCCs provide wording for inclusion in contracts to keep them compliant when it comes to data transfers outside the EU/EEA. In June 2021, these were updated by the European Commission. As a result, contracts that include SCCs must be updated

The deadlines

New contracts have had to include the updated SCCs wording from 27 September 2021.

This year, existing contracts that include the previous version of the SCCs must be updated before 27 December 2022.

What businesses need to do 

All companies impacted by the change to SCCs and the Schrems II decision must act to:

  1. Operationalise the new regulations, including a process for transfer risk assessments 
  2. Remediate existing contracts to include the updated SCCs – before 27 December 2022

Establish processes to operationalise the new regulations

To comply with the new personal data transfer regulations, companies will need a range of processes in place to, for example, understand cross-border data flows and export jurisdictions and execute transfer impact assessments. A clear and comprehensive communications and training plan will be needed to ensure the process changes are understood, implemented and become a new way of working. 

This is an opportune time to assess your business processes for establishing compliant contracts going forward. End-to-end contract lifecycle management maximises the value of every contract with tools to automate and standardise processes to lower risk and boost compliance, as well as speed up contract management tasks and improve efficiency. 

Remediate existing contracts

Most businesses will have hundreds, if not thousands, of contracts. To manually identify those that need to be updated to reflect a change, such as the one to SCCs, would be unacceptably time-consuming. It would also be particularly error prone. Once all contracts that are impacted have been identified, the specific clauses to amend must be located. The problem is one of contract visibility and the need for an automated solution that can interrogate the contents of contracts to extract the pertinent information. 

Contract intelligence technology, with artificial intelligence (AI), takes the jeopardy out of the otherwise onerous task of contract discovery and search. It extracts unstructured text from commercial agreements and organises it into structured data for action. Add in a human review to validate data accuracy and continually train the AI functionality to achieve 100 percent accurate data extraction. 

Looking to the future

Schrems II will have major implications for all organisations that transfer their data outside of the EU/EEA. Whilst the future of data privacy will be shaped by the European Commission, regulators, and other international courts, businesses cannot simply wait for further guidance. Schrems II presents a new data landscape and no doubt there will be further changes in the future. Moving forwards, companies should address this challenge head-on by reviewing their internal operations and having clear measures in place. 

By taking the strategic or technical steps more proactively, companies can build up critical capabilities, and maintain their customer’s trust. In return, businesses will be better prepared for all outcomes and a more volatile data-privacy environment in the future.