I am a nonprofit: What do the new EU Standard Contractual Clauses (SCCs) mean to me?
Since the General Data Protection Regulation (“GDPR”) went into effect in 2018, the European Commission has been working on creating a new version of the Standard Contractual Clauses (SCCs) that facilitate compliance with international data transfers restrictions (codified in Article 44 et sec. of GDPR.) In parallel, the European Commission has also been working on creating a standardized version of the contractual provisions for controller to processor transfers required under Article 28 of GDPR.
On June 4, 2021, the European Commission announced (press release here) the final version of the SCCs both for cross border transfers (see here) and for controller-processor transfers (see here.) Both were published to the EU official journal on June 7 (see here) and become effective 12 days after publication.
But what does this all mean in practice for the nonprofit sector?
NOTE: The continued development of informational privacy requirements is a major challenge for the nonprofit sector. Nonprofit organizations are mission and community oriented and instinctively see themselves as privacy forward. However resource constrains and (let’s face it) impractical advice can make that goal seem unattainable.
This posting is part of a series of blog post by Golden Data Law dedicated to making freely available to the nonprofit community resources about privacy, data protection and cybersecurity.
To learn more about us visit our site at https://goldendatalaw.com/
PRACTICE TIP: Standard Contractual Clauses (SCCs) are contractual provisions for personal data transfers pre-approved by a regulator as compliant with applicable laws. You probably have heard the term “SCCs” most frequently in connection with EU cross-border data transfer compliance but (Fun fact!) there are SCCs approved by other countries as well (e.g. Argentina and New Zealand.)
But, wait a minute, are you sure GDPR does apply to the nonprofit sector?
Yes, GDPR applies to the nonprofit sector just like it does to the for profit sector.
PRACTICE TIP: Of course, it is possible for a specific nonprofit to be outside of the geographical scope of GDPR. You can find an explanation of the legal thresholds for that here. Fair warning: this is a very factual oriented test and one of those areas where you may want to splurge and get an assessment from a competent EU counsel (or perhaps discuss with your provider of pro-bone legal services if they would assesses GDPR applicability for you.) If you want to schedule a 30 minute free consultation with us send us a note (we will not be able to evaluate applicability of GDPR in 30m but at least we can help you think through your options)
So, assuming GDPR applies to me, what do I have to do now?
STEP ONE: KNOW YOUR TRANSFERS
The main challenge for most nonprofit organizations will likely be to have a clear enough understanding of how data is being shared. This should not only cover sharing with third parties but also sharing within a nonprofit group. Once you figure out who is getting what data, the next challenge will be to identify what are the respective roles of the entities sharing/receiving the data for each transfer.
This are the four options:
- Controller-to-controller (C2C) transfers;
- Controller-to-processor (C2P) transfers;
- Processor-to processor (P2P) transfers; and
- Processor-to-controller (P2C) transfers
PRACTICE TIP: You can see an explanation of what is a controller and a processor here & here. The EDPB Guidelines on the concept of controller and processor (2020) are also a very useful resource. However, be cautious when making your own determination particularly in the area of data collected/shared in the context of clinical trials and situations involving de-centrilized data processing (see posting on challenges to applying GDPR to block-chain here.)
STEP TWO (THE “MUST DO”): UPDATE YOUR CROSS BORDER DATA TRANSFER SCCs
- As of YESTERDAY: The former SCCs for cross-border data transfers will not be officially repealed for three months. This means, in theory, you can still use them until the beginnings of September. That said, all contracts using old SCCs will have to updated in the next 18th months (see step 2 and 3.) Ergo, my advice is to stop using the old version of the SCCs for cross border data transfers for all new transfers and start using the new version ASAP. The new SCCs take a modular approach and include general provisions that apply to all transfers and several provisions that apply to specific types of transfers which must be selected based on the status of the parties under the GDPR. In practice this means that if you often transfer data cross border, you might have to provide internal training to your team as to how to select the correct modules for each particular set of SCCs and fill out the correlated annexes (C2C, C2P, P2P or P2).
- Before January 1st, 2022: The old SCCs do remain valid but only for 18 months. This means that you will have to identify all existing contracts that rely on the old version of SCCs (and the particular type of transfer they cover -C2C, C2P, P2P or P2-) before end of year. This should give you enough time to update those contracts by filling out the new forms and getting them signed before the 18 month period expires.
- Before November 1st, 2022: Update all contracts relying on the old version of SCCs to include the new version instead.
STEP THREE (THE “SHOULD DO”): UPDATE YOUR DATA PROTECTION ADDENDUM
If you currently are using a standard template for Article 28 compliance (typically referred to as Data Protection Addendum or DPA) you can keep using what you have. However, adopting the standardized controller to processor SCCs released by the European Commission can have advantages (starting with the fact that you do not have to pay for a law firm to generate a template for you.) It also can reduce friction during future contractual negotiations particularly for frequently negotiated clauses such as audit provisions.
That said, read (or have your attorney read) the new SCCs before adopting them as your DPA and make sure you can comply with the provisions that would apply to you.
Are you sure I can really do this?
Yes, you can do this. In fact, if you approach the project from the right perspective, you can maximize the investment to facilitate future work.
Here are a few tips:
- Scope the project early and secure resources: Get organized early. Identify the internal resources needed; reach out to relevant stakeholders; and engage external resources if needed to help with contract negotiations.
- Be proactive not reactive: For nonprofit organizations it is generally beneficial to be proactive in developing contractual templates for data transfers. Otherwise, it is likely that for profit organizations subject to laws that do not apply to you (like the new California Privacy Rights Act (CPRA) and/or Virginia’s Consumer Data Protection Act (CDPA)) will push on you language designed to protect their own interest that may or may not be relevant for your own compliance or aligned with your mission. Consider taking a holistic approach to all transfers (regardless of jurisdiction) which might increase requirements in some jurisdictions but will be more efficient operationally.
- Keep it as simple as possible: Since the enactment of GDPR the privacy contractual compliance trend has been towards increased complexity driven by the overlapping jurisdiction-specific requirements. We are at a point where the length of the data transfer provisions in a given contract can significantly exceed the length of the provisions in the underlying contract (the new SCCs for transfers to third countries alone are 36 pages long.) Because this trend is unlikely to abate it is essential to look for synergies and actively seek to simplify compliance. For example, think about this contract update exercise as an opportunity to create a simple ledger of contracts involving data transfers. This can prove intensely helpful down the road when new legal requirements need to be implemented.
And what about the UK?
The new SCCs cannot be used for the UK as it is not a member of the European Union.
It is expected that the UK Information Commissioner’s Office will adopt a similar set of clauses for data transfers from the UK in due course.
So let’s save the UK for a future post….