Reading time: 6 minutes

Does your business need to comply with the General Data Protection Regulation (the GDPR) or sign contracts with businesses that need to comply with the GDPR? If so, then the new standard contractual clauses are relevant to you.

From the end of September 2021, you need to start using the updated standard contractual clauses for new overseas data transfers. By the end of 2022, you also need to have updated agreements for all your existing data transfers. With deadlines looming, it is important to understand what:

  • standard contractual clauses are;
  • has changed; and
  • you need to do next.

This article will explain. 

What are the Old Standard Contractual Clauses?

When the GDPR was introduced in May 2018, new requirements arose for the transfer of personal data outside of the European Economic Area (EEA) to countries with inadequate protections. Australia is considered an inadequate destination. 

If you are transferring personal data to an inadequate destination, the requirements mandate that you must first put safeguards in place to protect the data to the same standard as the GDPR. One of the best ways to implement safeguards is by incorporating contractual obligations. For this reason, data exporters use the GDPR standard contractual clauses with data importers. 

The clauses work well as a safeguard. This is because the European Commission prepared them with the express purpose of protecting overseas transfers of personal data. Accordingly, they set out what: 

  • a data exporter must do to export the data safely; and
  • the data importer must do to safeguard it on receipt. 

The drawback of using the old clauses was that they were created before the GDPR. Therefore, they did not contemplate all of the GDPR’s specific requirements. The good news is that the new standard contractual clauses have been updated with the GDPR in mind.

How Have the Standard Contractual Clauses Changed?

One of the key changes to the standard contractual clauses is that while the previous version was prepared before the GDPR, the new version includes updates to better align the clauses with the GDPR. You can see the GDPR driven changes in three main ways. These are as follows:

1. Modules for Different Types of Transfers

Previously, the standard contractual clauses only applied to transfers that were either: 

  • EU-controller-to-overseas-processor; or
  • EU-controller-to-overseas-controller. 

Whereas, the new clauses include modules for a range of different types of transfers, including: 

  • controller-to-controller; 
  • controller-to-processor; 
  • processor-to-processor; and 
  • processor-to-controller. 

It has also been clarified that the parties do not have to be in the EU to use the clauses. This means that Australian-based businesses, which are subject to the GDPR, can use the clauses to safeguard transfers to inadequate third countries.

2. The Clauses Can Be Used as a Data Processing Agreement

The GDPR requires controllers and processors of personal data to have a contract or other legal act that binds the processor’s processing of personal data on behalf of the controller. In addition, there are specific items that the GDPR requires parties to include in the contract. Typically, this is managed by way of a data processing agreement

In addition to safeguarding overseas transfers, the new clauses work as a data processing agreement. This is because, unlike the old version, they include all the items which need to be put in place between a controller and processor for data processing. Accordingly, it is expected that the clauses will become the gold standard for data processing terms.  

It is likely to be recommended to use the standard contractual clauses as a base for a data processing agreement. However, you can add commercial terms to the clauses. This is as long as they do not: 

  • contradict, directly or indirectly, the standard contractual clauses; or 
  • prejudice the fundamental rights and freedoms of the individuals the personal data relates to. 

This means you can negotiate and document further commercial details and processes for your data processing and transfers. For example, you can agree on what a reasonable notice period is or how often you will perform security checks.

3. Extra Protections in Relation to Local Laws and Access by Public Authorities

In July 2020, the Court of Justice of the European Union handed down a judgement known as Schrems II. Schrems II invalidated the EU-US Privacy Shield on the basis that US surveillance laws meant that there were not sufficient safeguards in place for the transfer of personal data. While the case focused on the Privacy Shield, it also touched on the standard contractual clauses. Further, it noted that laws which conflict with the safeguards included in the clauses might undermine the protections they provide. Schrems II, therefore, introduced a requirement to perform a case-by-case assessment of each transfer to decide whether there are acceptable protections in place. 

To address the concern over access by public authorities, such as law enforcement or national security bodies, and local laws in inadequate jurisdictions, the new standard contractual clauses include further directions and obligations concerning what is to be done in a situation.

Note, however, that the changes do not remove the need for a case-by-case assessment of the safeguards for each transfer.

What Do I Need to Do Next?

With the new standard contractual clauses ready for use and upcoming deadlines, now is the time to review your current data transfers and update your documentation in line with the latest clauses and the Schrems II case. 

With a late September 2021 deadline, your priority should be updating your data processing agreement for future data transfers. Following this, you will also need to start considering how and when you will migrate your old agreements to the new clauses, noting the late 2022 deadline. 

Key Takeaways

If your business needs to comply with the GDPR or signs contracts with businesses that need to comply with the GDPR, then you should be aware of the new standard contractual clauses. From late September 2021, you must start using the updated standard contractual clauses for new overseas data transfers. You will also need to have updated agreements for all your existing data transfers by the end of 2022.

LegalVision cannot provide legal assistance with this topic. We recommend you contact your local law society.

Frequently Asked Questions

What are the key changes to the standard contractual clauses?

One of the key changes is that the new version includes updates to better align the clauses with the GDPR. These changes include that the new clauses have modules for a range of different types of transfers, the clauses can be used as a data processing agreement, and the clauses have extra protections in relation to local laws and access by public authorities

What do I need to do to prepare for the new GDPR contract clauses?

You should review your current data transfers and update your documentation in line with the latest clauses. Additionally, you should update your data processing agreement for future data transfers. Following this, you will also need to consider how and when you will migrate your old agreements to the new clauses by late 2022.

Webinars

Everything You Need to Know about SaaS Agreements

Thursday 7 April | 11:00 - 11:45am

Online
Understand which contracts will protect your SaaS contract from risk, and how. Register for free today.
Register Now

What to Consider When Buying a Tech or Online Business

Wednesday 13 April | 11:00 - 11:45am

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar today.
Register Now

Corporate Governance 101: Responsibilities for New Directors

Wednesday 27 April | 11:00 - 11:45am

Online
If you are a new company director, join our free webinar to understand your legal compliance obligations. Register today.
Register Now

Rogue Directors and Business Divorces: How to Remove a Director

Thursday 28 April | 11:00 - 11:45am

Online
Removing a board director is not simple. Join our free webinar to learn how to handle rogue directors. Register today.
Register Now

Employment Essentials for Tech Businesses

Thursday 5 May | 11:00 - 11:45am

Online
Protect your tech business and your employees by understanding your employment legal obligations. Register for our free webinar today.
Register Now

How to Protect and Enforce Your Trade Mark

Wednesday 11 May | 11:00 - 11:45am

Online
Protect your business’ brand from copycats and competitors. Register for this free webinar to learn how.
Register Now

How Franchisors Can Avoid Misleading and Deceptive Conduct

Wednesday 18 May | 11:00 - 11:45am

Online
Ensure your franchise is not accused of misleading and deceptive conduct. Register for our free webinar today.
Register Now

New Kid on the Blockchain: Understanding the Proposed Laws for Crypto, NFT and Blockchain Projects

Wednesday 25 May | 10:00 - 10:45am

Online
If you operate in the crypto space, ensure you understand the Federal Government’s proposed licensing and regulation changes. Register today for our free webinar.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Online
Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

Startup Financing: Venture Debt 101

Thursday 23 June | 11:00 - 11:45am

Online
Learn how venture debt can help take your startup to the next level. Register for our free webinar today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer