Insights

Complying with the Schrems II Ruling: A Checklist

Chris Bell
February 23, 2022

The Schrems II ruling given by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Data Protection Commissioner v Facebook Ireland LTD, Maximilian Schrems and intervening parties, Case C-311/18) upset the apple cart for organizations affected by the EU’s General Data Protection Regulation (GDPR) and how they export data.

Not surprisingly, Schrems II is generating waves of anxiety among in-house legal teams charged with ensuring that their contracts are updated to comply with GDPR. Many organizations are dealing with thousands, if not tens of thousands, of supplier contracts that involve the processing of personal data. The impact is wide-ranging, affecting almost every business sector.

While the ramifications of the Schrems II ruling are still being played out, there are many processes that suppliers should put in place to ensure they are complying now and in the future.

Background

The Schrems II ruling addresses the Standard Contractual Clauses (SCCs) used in contracts to ensure the protection of personal data, such that, while remaining a valid export mechanism under Article 46, they now come with strict conditions. The Court stipulated stricter “assessment” requirements for the transfer of personal data based on the SCCs.  This results in placing a bigger, more active, burden on organizations to check that appropriate safeguards are in place when transferring personal data. 

Among other things, this latest European data protection development tackles the lacunae in protection on third-country legal systems by placing responsibility on data exporters and data importers to ensure sufficient additional measures are in place for such transfers. Organizations are required to take an “assessment" and carry out a considered approach to personal data processing.

In response to the stricter requirements in Schrems II for data transfers based on SCCs, on 4 June 2021, the European Commission published its final Implementing Decision adopting new standard contractual clauses for the transfer of personal data to third countries (New SCCs). The European Commission Implementing Decision established a phased timeline for compliance according to which data exporters and data importers have until 27 December 2022 to replace contracts using the previous standard contractual clauses (i.e., clauses issued under Decision 2001/497/EC or Decision 2010/87/EU) with the New SCCs.  

If you are daunted by the impact of Schrems II and its impact on your organization, you are not alone. Factor is partnering with its clients across industries to effect compliance.

We have condensed our learnings into a handy checklist of considerations, as a starting point, for your organization as it prepares for the December 2022 deadline.

1. Identify which of your supplier contracts are likely to be affected

Data

  • Which data is being processed on your organization’s behalf?
  • Where is data being processed?
  • What measures are in place to protect the data?

Data Sources

  • Which of this information is detailed in a contract (specifying data protection requirements)?
  • Which of this information is stored in vendor management systems?
  • Which of this information is within the knowledge of system owners?

Data Transfers

  • What are the circumstances under which personal data is transferred?
  • It is important to keep in mind that not all data flows qualify as a “transfer” to a third country in accordance with Chapter V of the GDPR.

2. Finalize your scope

Ensuring you have all the data in one central shared location is crucial.  You will then want to consider the best approach to remediation. Three suggested approaches to consider:

Targeted outreach:

  • Review legacy contracts (tech-enabled where volume dictates) to narrow the scope of potentially impacted supplier contracts.
  • Send questionnaires, specific to mapping your data, to suppliers.
  • Perform transfer impact assessments.
  • Prioritize contact with suppliers, based on a variety of factors including criticality to business/commercial operations, sensitivity and volume of data, relationship status, and risk/impact according to data gathered.

Blanket outreach:

  • Gather information on data transfers from internal systems and responses to questionnaires from suppliers.
  • Perform transfer impact assessments.
  • Outreach to all potentially in-scope suppliers and execute amendments to relevant contracts with new SCCs.

Hybrid approach:

  • Be selective in the supplier contracts you assess as a priority and use the blanket approach for all other contracts.

We recommend your preferred approach is determined on the outcome of your data risk assessments and an evaluation of cost to remediate. Benefits can be had from a targeted approach, which may balance the initial cost.  With a targeted approach, you will engage with key suppliers.   This will allow you to gather valuable, critical information to ensure you are fully informed on where the data is and how it is being handled, thereby taking responsibility to ensure that there are adequate controls to protect the data.  This is the essence of the Schrems II ruling.

3. Assess risk and prioritize amendments to supplier contracts

It will be necessary to prioritize the contracts which need amending and we suggest considering the following:

  • What data is being used? GDPR applies to all personal data, but particular care should be taken when the data is sensitive, such that it relates to children and “special categories” of data, e.g., health data
  • What measures do you have in place already, and what further technical and organizational protections might you need?
  • Where is your data transferred? For some inter-country transfers, nothing different is required (for example countries where there is an adequacy decision, such as the UK, Canada, Switzerland)

4. When applying the New SCCs, select the correct module(s) for your supplier contracts

While SCCs cannot be negotiated, there is a modular approach to applying them to contracts, and the selection of which module depends on the relationship determined by assessing the processing of data. Selecting the correct module(s) thereby ensuring the correct contractual obligations are in place, is essential for compliance. The module to be inserted into the contract amendment can be determined by identifying certain activities. Here are some illustrations:

  • Controller to controller - (Module 1). For example, likely to apply when buying an airline ticket on Skyscanner: both Skyscanner and the airline company is likely to control how and why the data is processed.
  • Controller to processor - (Module 2). For example – likely to apply when a company in EEA sends data originating in the EEA for processing outside the EEA.
  • Processor to processor - (Module 3). This is effectively a sub-processing contract.
  • Processor to controller - (Module 4). This module contains clauses specifically for situations where a processor, subject to the GDPR, transfers data to a third country controller which is not automatically subject to the GDPR.

Setting up for the future: how do you carry out Schrems II remediation in a way that is as future-proof as possible?

Regulators are increasingly looking to companies to be proactive. It requires forward-thinking into which other regulations are likely to impact your organization (for example, California and Virginia in the US; and the UK), as countries become more sophisticated in their approach to data privacy.  Additionally, while SCC compliance is mandatory; regulators see this as the first step to ensuring data privacy is being addressed.  SCC compliance is the starting point that must be furthered operationally within an organization to ensure that companies are also “walking the walk.”

Accordingly, use the process of adapting your SCCs as an opportunity to:

  • Build a mapping of data transfers you currently have in place;
  • Track and maintain the contracts to which these relate;
  • Track the measures in place to protect the data being transferred;
  • Ensure that internal processes and technology infrastructure are adequate/up to date.

Maintaining this will make it easier to adapt to changing regulations in relation to data privacy in the future.

While it is only February, the festive season will be on us faster than you expect and with it the requirement to have adopted the SCCs. Unlike your gift shopping, don’t put it off. Reach out to Factor for support today.