The Clock is Ticking: Are Your Contract Terms Out-of-Date for Transfers of Personal Data Subject to the GDPR? - Tech Contracts

The Clock is Ticking: Are Your Contract Terms Out-of-Date for Transfers of Personal Data Subject to the GDPR?

[Things don’t stand still in the world of data privacy. Check out our updates about the EU Adequacy Decision and next steps: https://www.techcontracts.com/2023/07/21/personal-data-transfers-schrems/, and background here – Third Time Lucky? Personal Data Transfers between the U.S., EU, UK; Draft EU “Adequacy Decision” for Data Transfers to U.S. Now What?]

Does the European Union (“EU”)’s General Data Protection Regulation (“GDPR”) apply to your contracts’ transfers of Personal Data from the European Economic Area (“EEA”) to a country (such as the United States) that the EU deems to lack “adequate” safeguards?

If so, do you rely on contract terms to permit such cross-border transfers?
If yes, it’s time to check your contracts – do they have the current SCCs for international transfers (Commission Implementing Decision (EU) 2021/914, aka “new” SCCs”)?
- The grace period to transition from earlier SCC versions (where entered into by September 27, 2021) ends December 27, 2022.

Here’s a link identifying which countries the EEA currently deems “adequate.” The US is not among them: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
If you proceed with such transfers, do so with eyes open. While far beyond the scope of this brief blog post, know there are:
- Operational choices to be made/negotiated within the SCCs (including selection of appropriate module(s), handling of subprocessors, governing law and jurisdictions); Annexes to be populated (in detail); obligations (notably including conducting and documenting a transfer impact assessment).
- And, ongoing legal challenges (e.g., Schrems II and its progeny), with no guarantee such cross-border transfers will be found to comply with the GDPR even when using “new” SCCs, incorporating “supplementary measures,” or if/when the proposed Trans-Atlantic Data Privacy Framework comes to be.
- See, e.g.: the European Commission’s Q&A about implementing the new SCCs: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en; and articles by Mr. Schrems’ advocacy non-profit: https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-analytics-illegal; https://noyb.eu/en/open-letter-future-eu-us-data-transfers
What about the UK? Are the clauses the same, or the deadlines the same, for Persona Data transfers subject to UK Data Protection Laws? No. Thank Brexit. See: https://www.techcontracts.com/2022/03/29/contract-terms-current-uk-idta/.

By Kathy O’Sullivan, Esq. (CIPP/E, CIPP/US)

Looking to learn about information technology contracts? Tech Contracts Academy offers public and in-house trainings.

© 2022 by Tech Contracts Academy, LLC. All rights reserved.

Thank you to Pixabay.com for great, free stock images.

Share the Post:

Related Posts

David Tollen’s Live Webinars About Technology Contracting – April 16, May 21

Join Tech Contracts Academy’s two remaining live webinars this spring: April 16 – The Indeminar: Indemnities in Contracts about Software, the Cloud, and AI May 21 – IP

April 9, 2024

Educational videos partnership with Briefly

Tech Contracts Academy and David Tollen have partnered with Adam Stofsky and Briefly Inc. to create a series of short, concise videos, covering contract basics. The videos are

April 4, 2024

Don’t grant a fault-based indemnity

I think it’s a mistake to indemnify against claims resulting from indemnitor negligence or other wrongdoing. Indemnities against 3rd party claims usually specify the claims

April 2, 2024

New AI Contracts Training Available On-Demand

David Tollen’s Tech Contracts Academy just released a new, updated version of our popular training: AI Contracts – Drafting and Negotiating. With 1 year’s access, you can use it for training and as a reference.

March 14, 2024