International data transfer: New FAQ document from the European Commission on standard contractual clauses

On 25 May 2022, the European Commission published an FAQ document on the "new" standard contractual clauses (SCCs), in which it provides practical advice on how to deal with the SCCs in 44 questions and condensed answers (available here).

It covers both questions of a general nature, such as "What are standard contractual clauses?", but also controversial legal questions around international data transfers, such as: "Are special measures necessary to comply with the ECJ's requirements in the Schrems II ruling? Is it still necessary to take into account the guidelines of the European Data Protection Board?".

Standard contractual clauses continue to be a perennial issue in data protection practice. Hardly any topic in data protection concerns companies more than the question of how personal data can continue to be transferred to the USA and other so-called third countries in compliance with the GDPR. Since the Schrems II ruling of the ECJ, data transfers to recipients outside the EU or EEA are only permitted to a limited extent. The ("new") SCCs of the European Commission, which came into force on 27.06.2021, are a central instrument to continue to legitimise such data transfers.

Practical advice - which deadlines currently need to be observed?
In the second half of 2022, companies must keep two deadlines in mind in this regard:

• From 27.09.2022, only the new SCCs may be used for newly concluded contracts.
• Existing contracts must be converted to the new SCCs by 27.12.2022.

Companies should take these deadlines as an opportunity to check their contractual relationships for legal conformity in this context and - if they have not already done so - to convert to the new SCCs in the short term.

In doing so, it should be noted that according to the new SCCs, a so-called Transfer Impact Assessment ("TIA") must be carried out and documented. In this assessment, the contracting parties must document that they have no doubts about compliance with European data protection standards in the country of the data importer against the background of the protective measures taken (additional protective measures or "guarantees") and that the rights of the data subjects are protected in this respect.

In practice, we see that authorities attach great importance to robust TIAs. Companies should establish a structured process for implementation and documentation. SKW Schwarz has developed a tool with which this process can be carried out in a standardised manner.
Please feel free to contact us on this and on all questions regarding standard contractual clauses and international data transfers.