Recently we celebrated the anniversary of the GDPR coming into force (May 25th), and we would like to remind you of key issues for those transferring data overseas. The General Data Protection Regulation (GDPR) divides the world into two parts:
a) The European Economic Area (EEA), where there are no particular barriers to the processing of personal data
b) countries outside the EEA. Data flows outside the EEA (including cloud services, shared access to databases, etc.) are strictly regulated and subject to particular safeguarding mechanisms.
In our digital world, companies often have suppliers across the globe or are part of a larger group. In these cases, to successfully operate globally, they must manage their human resources and clients data effectively. For example, shared internal databases are one of the tools that help companies to do this. However, this means transferring personal data.
The data protection landscape is constantly changing, and some changes that have taken place, such as Brexit, or the European Court of Justice’s Schrems II judgment annulling the Privacy Shield mechanism, used for data transfers to the USA, affect transfers of personal data to countries outside the EEA.
New Standard Contractual Clauses
Very recently, the European Commission also adopted new standard contractual clauses (SCCs) for the transfer or personal data to third countries. This affects a large number of businesses, as the SCCs are very widely used mechanism for data transfers. The new SCCs are available here. If your company is currently using the old SCCs, the deadline for replacing them with the new SCCs is 27 December 2022. The longer transitional period does not apply to new contracts: after 27 September 2021, no new contracts can be signed using the previous set of SCCs.
Taking this into account, we have prepared a brief to-do list to make sure your company is GDPR compliant. It is necessary:
1) to evaluate your data flows, carefully considering all cooperation partners (IT, cloud services) to understand whether it is possible to continue cooperation and what steps must be taken
2) to assess the need for appropriate security mechanisms for transferring data to countries outside the EEA
3) to review and, if necessary, amend agreements with cooperation partners (the standard condition is that data may not be transferred outside the EEA). If your agreements with cooperation partners include the old SCCs, they need to be replaced by 27 December 2022;
4) to review privacy policies, which often provide that data is not transferred outside the EEA or reference Privacy Shield mechanisms