Since the end of the Privacy Shield, European companies that use services from Microsoft, Google or Facebook are hanging in the air legally. Now, on June 04, 2021, the European Commission adopted two new sets of Standard Contractual Clauses (SCC) to increase legal certainty when transferring data to America.
Specifically, they deal with data transfers between controllers and processors and with the transfer of personal data to third countries.
A significant change is the new modular structure: This covers more constellations of data transfers than before. Modules can be flexibly selected for the respective individual cases, depending on the relationship between the parties. However, the clauses that apply to all cases are always retained.
The new SCCs also cover more than before in terms of content – for example, there will no longer be a need for an additional order processing contract in the future.
Existing contracts must be replaced by the new standard contractual clauses by December 27, 2022. New contracts, on the other hand, must already take the new regulations into account from September 29, 2021.
Although the new standard contractual clauses are more aligned with the GDPR and take into account the Schrems II judgement, they are not sufficient to fully comply with the requirements of the Schrems II judgement, according to DSK and EDPB. They can be used as a legal basis for third country transfers, but additional measures are still needed. In any case, the data exporter must additionally review the legal situation and practice in the third country to see to what extent these could affect the level of data protection adopted in the stand-alone clauses. Depending on this, further additional measures must be taken, or data transfers must be discouraged.
So, it is now up to German companies to re-examine existing data processing procedures and adapt them to the changes. And this is best done as soon as possible, because at the beginning of June 2021, several German supervisory authorities launched a cross-state inspection of the third-country transfers of various companies. At least involved are Bavaria, Berlin, Hamburg and Baden-Württemberg. If the requirements of the Schrems II judgement are not met, prohibition orders or sanctions such as fines could follow.
What at first glance seems like a big task is done faster and easier than expected with the following helpful and free checklists and samples:
A future in which companies can work exclusively with European alternatives is not yet within reach. At least Microsoft represents a glimmer of hope: In the future, their customers' corporate data will be stored and processed exclusively in Europe. This concerns companies and public administration that use the Cloud Azure, Microsoft 365 and Dynamics 365 applications. However, the extent to which this will solve the Cloud Act problem, which allows US intelligence agencies to access data outside the USA, is disputed. So, it remains exciting and we will be happy to inform you about further developments!