Germany Update on the new Standard Contractual Clauses

Background

Following the Schrems II ruling of the European Court of Justice in July 2018, the EU Commission revised the Standard Contractual Clauses (SCC) as a guarantee within the meaning of Art. 44 GDPR for a transfer of personal data to a third country and adapted them to the requirements of the GDPR. They have been in force since 27 September 2021 and are available to everyone.

What has changed?

• There are now four different modules that map all conceivable contractual constellations (controller-controller, controller-processor, processor-subcontractor, processor-controller).
• There is a tying clause whereby other companies can join the contracts.
• If a national authority makes a request for information to the data importer, the latter must examine the lawfulness of the request and, if necessary, take action against it. He also undertakes to inform the data exporter and the persons concerned of the official procedure.
• The contracting parties must carry out a comprehensive data transfer impact assessment (so-called TIA, Transfer Impact Assessment). They must assess the level of data protection in the third country and must have no reason to believe that laws from the third country undermine or counteract the required level of protection.

Of course, all this must also be carefully documented.

And why are we telling you this?

Since 27 September 2021, the old SCCs may no longer be used for new contracts. For old contracts, i.e. contracts concluded before 27 September 2021, the EU Commission has granted a transitional period until 27.12.2022. Until then, companies have time to convert their contracts to the new standard contractual clauses.

If personal data is transmitted on the basis of the old SCC beyond 27.12.2022, this is inadmissible data processing and can be subject to a fine under the GDPR. This also applies if the new SCCs are already in use but have not yet been fully implemented, e.g. if no risk assessment has been carried out. Especially the risk assessment can be quite extensive, because each data transmission has to be checked and evaluated individually. Following the evaluation, it must be examined whether and to what extent the implemented technical and organisational measures are sufficient or whether further measures need to be taken. The testing and the subsequent documentation take up a lot of time and capacity.

This means for you:

1. Check whether your company transfers personal data outside the EU/EEA.

2. Is the data transmitted on the basis of SCC? If so, are the old or the new SCCs used?

• If the new SCCs are already in use, you are already one step ahead. If the risk assessment has also been carried out and the other requirements have been met, you have reached your goal.
• If the old SCCs are used, it is high time to take action.

By MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.