Are you still compliant with EU general data protection regulation?
3 mins reading time
On 27 June 2021, the European Commission published new Standard Contractual Clauses (SCCs) as a tool for the transfer of personal data from the European Union (EU) and European Economic Area (EEA) to countries outside of those regions.
What are Standard Contractual Clauses?
Data transfers occur when businesses send personal data to another party or make the data accessible by another party, where the data does not relate to the sender or the receiver. Businesses may wish to transfer data because they are part of a corporate group, or they engage with offshore contractors and other processors of personal data. The SCCs are data protection safeguards, used as the permissible grounds for data transfers from the EU to third countries.
The onus is on the business to update their SSCs
The new SCCs were required to be implemented as of 27 September 2021 for any new data-transfer or data-processing related contracts, and, as of 27 December 2022 for any old or existing data-transfer or data-processing related contracts.
If the new SCCs are not in play after 27 December 2022, it is likely that any business transferring personal data will not be compliant with the requirements of the EU General Data Protection Regulation (GDPR). This may expose the business to substantial fines and reputational damage.
Who is affected?
The SCCs are needed if the business transfers personal data to a non-EU or EEA country that has not been recognised by the European Commission as providing an adequate level of data protection, and there is no other legal basis for doing so.
So, the SCCs are needed if you are a business that:
- transfers data from Europe to a country or region outside of Europe;
- is located outside of Europe, and receives personal data from Europe for processing purposes;
- uses cloud-based services and/or other data service providers and has not updated contracts since 27 June 2021;
- is based in Europe, or has major offices there, and has affiliates outside Europe that can access the personal data;
- is based in Europe, or has major offices there, and has vendors, suppliers or customers in countries outside of Europe, which have access to or process personal data.
How can Macpherson Kelley help?
As the only Australian law firm member of global and regional legal networks such as PrivacyRules, Multilaw and the Pacific Legal Network, we can connect you with relevant, trusted and local expertise right across the world.
For advice and further assistance, please contact our Privacy experts.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
Climate related financial disclosures are here
Ghost flyer: Qantas ordered to pay $100 million for misleading consumers into purchasing ‘ghost flights’
Corporations and officers can now be held responsible for predatory business models
stay up to date with our news & insights
Are you still compliant with EU general data protection regulation?
On 27 June 2021, the European Commission published new Standard Contractual Clauses (SCCs) as a tool for the transfer of personal data from the European Union (EU) and European Economic Area (EEA) to countries outside of those regions.
What are Standard Contractual Clauses?
Data transfers occur when businesses send personal data to another party or make the data accessible by another party, where the data does not relate to the sender or the receiver. Businesses may wish to transfer data because they are part of a corporate group, or they engage with offshore contractors and other processors of personal data. The SCCs are data protection safeguards, used as the permissible grounds for data transfers from the EU to third countries.
The onus is on the business to update their SSCs
The new SCCs were required to be implemented as of 27 September 2021 for any new data-transfer or data-processing related contracts, and, as of 27 December 2022 for any old or existing data-transfer or data-processing related contracts.
If the new SCCs are not in play after 27 December 2022, it is likely that any business transferring personal data will not be compliant with the requirements of the EU General Data Protection Regulation (GDPR). This may expose the business to substantial fines and reputational damage.
Who is affected?
The SCCs are needed if the business transfers personal data to a non-EU or EEA country that has not been recognised by the European Commission as providing an adequate level of data protection, and there is no other legal basis for doing so.
So, the SCCs are needed if you are a business that:
- transfers data from Europe to a country or region outside of Europe;
- is located outside of Europe, and receives personal data from Europe for processing purposes;
- uses cloud-based services and/or other data service providers and has not updated contracts since 27 June 2021;
- is based in Europe, or has major offices there, and has affiliates outside Europe that can access the personal data;
- is based in Europe, or has major offices there, and has vendors, suppliers or customers in countries outside of Europe, which have access to or process personal data.
How can Macpherson Kelley help?
As the only Australian law firm member of global and regional legal networks such as PrivacyRules, Multilaw and the Pacific Legal Network, we can connect you with relevant, trusted and local expertise right across the world.
For advice and further assistance, please contact our Privacy experts.