As businesses continue to operate in an increasingly globalised economy, the transfer of personal data across international borders has become a critical aspect of many operations. However, with the latest legislative changes from the EU, it has become more challenging to transfer data lawfully to third countries. By now, you may have had requests to amend your contracts with international counterparts. This is so because the "old" Standard contractual clauses ("SCCs") have been amended.
SCCs are model contracts for the transfer of personal data adopted in 2001 and 2004 by the European Commission in terms of the EU Data Protection Directive (the predecessor to the EU General Data Protection Regulation ("GDPR")).
In its questions and answers guide, the European Commission describes SCCs as a set of:
"Standardized and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law. They can be incorporated by controllers and processors into their contractual arrangements with other parties, for instance, commercial partners."
In June 2021, the European Commission updated the old SCCs for the transfer of personal data, which were partly due to the Schrems II court case and the EU GDPR. The updated SCCs replaced the old SCCs, and there was a transition period of three months (until September 2021) before the old SCCs could no longer be used to transfer data lawfully to a third country. For a further 15 months, data exporters and importers were allowed to continue to rely on the old SCCs. At the end of this period, both exporters and importers had to switch to the Updated SCCs or rely on another method to transfer personal data out of the EU under the GDPR.
Therefore, as of 27 December 2022, the old SCCs, including those signed before June 2021, can no longer be used to lawfully transfer data to a third country. That is why controllers/processors (EU parlance for responsible parties/operators under the Protection of Personal Information Act, 2013) may contact organisations in South Africa to update their agreements.
The updated SCCs feature more guidance about what to do when transferring personal data into a country with different data privacy laws and practices to the GDPR. They also include several modifications and quality enhancements from the old SCCs since they are aligned with the GDPR requirements and the Schrems II ruling.
Updating your agreements to comply with the updated SCCs is critical to protect personal data during transfer and maintain compliance with EU data protection laws. we can assist with updating your existing agreement to ensure compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.