In June, the European Commission published new standard contractual clauses that companies can use when transferring personal data outside the EU and the EEA. The updated clauses must have been introduced in new contracts since September.

Standard contractual clauses concerning transferring of personal data may be used as a part of a personal data processing agreement when personal data is transferred outside the EU and the EEA, for example to the United States. Standard contractual clauses determine the obligations of the data exporter and the data importer and help to ensure that the level of data protection in the transfers is adequate.

The European Commission published the updated clauses in June. The matter is important for all companies that transfer personal data outside the EU and the EEA specifically on the basis of standard contractual clauses.

The introduction of the new clauses is due to two reasons in particular. It was necessary to take into account the obligations of the GDPR also in the standard contractual clauses, as the previous standard contractual clauses had been drawn up prior to the entry into force of the GDPR.

Another important reason was the Schrems II ruling by the Court of Justice of the European Union, which removed the so-called Privacy Shield arrangement between the EU and the United States that aimed for adequate level of data protection. Prior to that case, personal data could be transferred to the United States to parties covered by the Privacy Shield without separate standard contractual clauses. In the future, personal data can be transferred to the United States, for example, by using standard contractual clauses.

Standard contractual clauses simplify, among other things, the operation of business networks. In business networks it is common for new parties to become involved on a fast schedule. Standard contractual clauses allow new parties to join the existing networks without always having to negotiate data transfers separately.

“Standard contractual clauses facilitate the compliance with data protection legislation regarding personal data transfers. Of course, the use of these clauses requires that they are not modified, and that the obligations set out in them are fulfilled”, says Sonja Heinonen, a lawyer at Procopé & Hornborg, who specializes in data protection.

New contracts up to date immediately

Updated standard contractual clauses must have been used in new contracts since September.

For old contracts that are still in force, the deadline is 27 December 2022. After this date, the standard contractual clauses in the old contracts will have to be updated, if the contracts continue to apply.

In August, the Office of the Data Protection Ombudsman announced that it will increase supervision of personal data transfers outside the EEA. Violations of the GDPR’s provisions regarding transfers of personal data may lead to, among other things, suspension of data flows, which could have crippling effects on a company.

In addition, violations can lead to an administrative fine up to EUR 20 million, or in case of an undertaking, up to four per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

“New standard contractual clauses can be introduced in existing contracts by drawing up a short amendment agreement, in which it would be agreed that the contracts would otherwise remain unchanged but transfers of personal data would be subject to the new standard contractual clauses from the date of signing the amendment agreement,” says Heinonen.