The clock is ticking! The deadline for switching to the new EU Standard Contractual Clauses (SCC) for data transfers between the EU and non-EU countries is December 27, 2022. As of that date, data controllers and processors around the world that process the personal data of EU residents will no longer be able to rely on the old SCCs without violating the General Data Protection Regulation (GDPR). In other words, companies are legally obligated to replace all previously used SCCs with the new ones, and should be able to demonstrate having done so in case of an audit.
As a reminder, SCCs are standardized and pre-approved model data protection clauses that allow data controllers and data processors to comply with their obligations under EU data protection law. They ensure that appropriate data protection safeguards are in place for international data transfers. SCCs must be properly completed and signed by the parties. Simply including a reference to the SCCs in a data processing agreement is not sufficient and does not comply with EU law.
Violating the GDPR may result in heavy penalties for big and small organizations alike. In this case, failure to adopt the new SCCs may lead to a penalty of up to 10M euros ($10,500,000) or up to 2% of the company’s total worldwide annual revenue for the preceding financial year, whichever is higher.
If you have questions about complying with this important deadline, please contact Stephan Grynwajc at stephan@outsidegc.com or 347-543-3035.
Stephan Grynwajc is admitted to the practice of law in the U.S., Canada, U.K. and in France/the European Union. He has served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU, UK and Canadian legal and regulatory landscape.
