Practical Tips to Update SCCs at Your Organisation
The repeal of the Old SCCs is just around the corner – on 27 September 2021. What this means is that organisations can no longer use the Old SCCs when entering a new agreement or data processing operation after this date. Instead, organisations must use the New SCCs. In this blog post, we’ll outline some practical tips to update SCCs at your organisation and answer some FAQs on the topic.
If you’re uncertain about what the Old and New SCCs refer to, read our earlier blog post on the topic: https://privacy108.com.au/insights/new-sccs-gdpr-summary/. Remember – this is just an issue for organisations dealing with customers/partners covered by the GDPR. SCCs are used when you’re transferring data out of the EU (or the EEA to be exact) to a non-EU country.
Steps You Should Have Taken to Adjust to the New SCCs
With the repeal deadline looming, your organisation has probably already started taking steps to adjust to the New SCCs, including:
- Getting familiar with the terms of the New SCCs to consider whether the terms affect your operating processes.
- Updating your templates and processes to ensure any new transfers are based on the New SCCs.
- Developing and implement a process for conducting transfer impact assessments where needed.
- Mapping your data transfers and categorising them in line with the 4 modules (controller to controller, controller to processor, processor to sub-processor, or processor to controller).
Organisations should also be taking steps to identify data transfers that rely on the Old SCCs and creating a timeline to bring those in line with the New SCCs before the 27 December 2022 deadline.
Your Questions about Updating SCCs Answered
Do you need a Data Processing Agreement (DPA) when you use the new SCCs?
In short, no you don’t. Once a data exporter enters into an agreement using the New SCCs, a separate data processing agreement is not required to comply with the obligations contained in Article 28 of the GDPR. The agreement using the New SCCs is sufficient.
Which version of the new SCCs should you use?
The new SCCs are split into modules that deal with four different types of transfer, which we outlined above: controller to controller, controller to processor, processor to sub-processor, and processor to controller. This modular approach allows organisations to tailor the agreements to their individual needs.
The version of the modules you should rely upon depends on whether you are a controller or processor, and whether the recipient of the data is a controller or processor.
Defining the Parties
A controller is “a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.”
To determine whether you’re a data controller, under the GDPR you should consider:
- Did your organization decide to collect and process personal user data?
- Did your organization determine the purpose of the data processing?
- Did your organization decide what kind of personal data should be collected?
- Will your organization commercially benefit from processing the data (aside from payment for controller services)?
- Are the data subjects your own employees?
- Did your organization decide about the users concerned as part of or because of the processing?
- Are you properly exercising professional judgment when processing personal data?
- Do you have a direct connection with the data subjects?
- Are you solely in charge of how the data is processed?
- Have you outsourced data processors to process the data?
- A processor is “a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller”.
A sub-processor is a party elected by a data processor to “sub-contract some or all of the data processing to a third party”.
Which Module Should You Use?
Once you’ve ascertained the role of each party, you can determine the correct module to rely on:
Controller to controller – Module 1
Controller to processor – Module 2
Processor to sub-processor – Module 3
Processor to controller – Module 4
Can You Change the Wording of the New SCCs?
No, absolutely not. You should use the specific wording provided by the European Commission to describe the roles and responsibilities of the parties and to detail the data transfers in the Annexes.
However, you may include the New SCCs and additional provisions into a broader contract, so long as the additional provisions do not contradict the New SCCs or infringe on the data subject’s privacy rights.
Practical Tips to Update SCCs
Organisations with moderate to high numbers of data agreements that rely on the SCCs should work to develop automated processes that streamline the creation of compliant agreements that incorporate the New SCCs. Here are some suggestions:
- Create an internal document with Autofill Fields that generates a document with details of the relevant parties, appropriate module, and any standard form protections.
- Incorporate the SCCs, including the relevant modules, by reference into the existing contract. In this case, the 3 annexes contained in the New SCCs will still need to be completed. The docking clause, governing law and jurisdiction clauses should also be included.
- If you’re happy that there are no significant differences between your customers, services providers etc in terms of the type of data and purpose of processing and other measures, you can pre-complete the detail required in the annexures.
If you need assistance updating your agreements to bring them into compliance with the New SCCs, reach out. Privacy 108’s privacy specialists are here to help.