The Clock is Ticking: Are Your Contract Terms Out-of-Date for Transfers of Personal Data Subject to the GDPR? - Tech Contracts

The Clock is Ticking: Are Your Contract Terms Out-of-Date for Transfers of Personal Data Subject to the GDPR?

[Things don’t stand still in the world of data privacy. Check out our updates about the EU Adequacy Decision and next steps: https://www.techcontracts.com/2023/07/21/personal-data-transfers-schrems/, and background here – Third Time Lucky? Personal Data Transfers between the U.S., EU, UK; Draft EU “Adequacy Decision” for Data Transfers to U.S. Now What?]

Does the European Union (“EU”)’s General Data Protection Regulation (“GDPR”) apply to your contracts’ transfers of Personal Data from the European Economic Area (“EEA”) to a country (such as the United States) that the EU deems to lack “adequate” safeguards?

If so, do you rely on contract terms to permit such cross-border transfers?
If yes, it’s time to check your contracts – do they have the current SCCs for international transfers (Commission Implementing Decision (EU) 2021/914, aka “new” SCCs”)?
- The grace period to transition from earlier SCC versions (where entered into by September 27, 2021) ends December 27, 2022.

Here’s a link identifying which countries the EEA currently deems “adequate.” The US is not among them: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
If you proceed with such transfers, do so with eyes open. While far beyond the scope of this brief blog post, know there are:
- Operational choices to be made/negotiated within the SCCs (including selection of appropriate module(s), handling of subprocessors, governing law and jurisdictions); Annexes to be populated (in detail); obligations (notably including conducting and documenting a transfer impact assessment).
- And, ongoing legal challenges (e.g., Schrems II and its progeny), with no guarantee such cross-border transfers will be found to comply with the GDPR even when using “new” SCCs, incorporating “supplementary measures,” or if/when the proposed Trans-Atlantic Data Privacy Framework comes to be.
- See, e.g.: the European Commission’s Q&A about implementing the new SCCs: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en; and articles by Mr. Schrems’ advocacy non-profit: https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-analytics-illegal; https://noyb.eu/en/open-letter-future-eu-us-data-transfers
What about the UK? Are the clauses the same, or the deadlines the same, for Persona Data transfers subject to UK Data Protection Laws? No. Thank Brexit. See: https://www.techcontracts.com/2022/03/29/contract-terms-current-uk-idta/.

By Kathy O’Sullivan, Esq. (CIPP/E, CIPP/US)

Looking to learn about information technology contracts? Tech Contracts Academy offers public and in-house trainings.

© 2022 by Tech Contracts Academy, LLC. All rights reserved.

Thank you to Pixabay.com for great, free stock images.

Share the Post:

Related Posts

NEXT WEEK – Tech Contracts Academy’s LIVE webinars return

We hope you will join us NEXT WEEK on March 20, 2025 for our live webinar: Artificial Intelligence Contracts: Drafting and Negotiating. Artificial intelligence contracts raise new concerns, as

March 12, 2025

The Overuse of Indemnities

This week’s musings on tech contracts… Many American IT contracts feature a strange clause. One party (usually the customer) asks the other for an indemnity

February 19, 2025

LIVE Tech Contracts Master Classes Return – Taught by David Tollen

We’re happy to announce that our LIVE Tech Contracts Master Class™ series for 2025 is open for registration. Join David Tollen, and learn how to negotiate information technology

February 11, 2025

Outcome-Driven Descriptions in Big, Complex SoWs

This week’s musings on tech contracts… The SoW for a large IT development project generally features a long list of duties for the vendor. But

February 6, 2025