The Schrems II Clock is Ticking: A Checklist

  • Chris Bell, Contracts Product Management Manager at Factor

  • 06.06.2022 05:15 pm
  • #data

The Schrems II ruling given by the Court of Justice of the European Union (CJEU) on 16 July 2020 upset the apple cart for organizations across the globe, and the latest iteration of the regulation is generating waves of anxiety among in-house legal teams who are already charged with ensuring that their contracts are updated to comply with the EU’s General Data Protection Regulation (GDPR). Many organizations are now dealing with thousands, if not tens of thousands, of supplier contracts that involve the processing of personal data. The impact is wide-ranging, affecting almost every business sector.

Among its wide-ranging scope, the latest European data protection development tackles the lacunae in the protection of third-country legal systems by placing responsibility on data exporters and data importers to ensure sufficient additional measures are in place for such transfers. Organizations are required to take an “assessment" and carry out a considered approach to the personal data processing to comply.

While the ramifications of the Schrems II ruling are still being played out, there are processes that suppliers can put in place to ensure they are complying now and in the future. Here is a checklist of considerations that will help your organization to prepare for the December 2022 deadline.

1. Identify which of your supplier contracts are likely to be affected

Data

  • Which data is being processed on your organization’s behalf?
  • Where is data being processed?
  • What measures are in place to protect the data?

Data Sources

  • Which of this information is detailed in a contract (specifying data protection requirements)?
  • Which of this information is stored in vendor management systems?
  • Which of this information is within the knowledge of system owners?

Data Transfers

  • What are the circumstances under which personal data is transferred?
  • It is important to keep in mind that not all data flows qualify as a “transfer” to a third country in accordance with Chapter V of the GDPR.

2. Finalize your scope

Ensure you have all the data in one central shared location. The next step is determining the best approach to remediation. Here are three suggested approaches:

Targeted outreach:

  • Review legacy contracts (tech-enabled where volume dictates) to narrow the scope of potentially impacted supplier contracts.
  • Send questionnaires, specific to mapping your data, to suppliers.
  • Perform transfer impact assessments.
  • Prioritize contact with suppliers, based on a variety of factors including criticality to business/commercial operations, sensitivity and volume of data, relationship status, and risk/impact according to data gathered.

Blanket outreach:

  • Gather information on data transfers from internal systems and responses to questionnaires from suppliers.
  • Perform transfer impact assessments.
  • Outreach to all potentially in-scope suppliers and execute amendments to relevant contracts with new Standard Contractual Clauses (SCC).

Hybrid approach:

  • Be selective in the supplier contracts you assess as a priority and use the blanket approach for all other contracts.

Your approach should be determined by the outcomes of your data risk assessments and an evaluation of the cost to remediate. A targeted approach can be beneficial, which may balance the initial cost.  With a targeted approach, you will engage with key suppliers. This will allow you to gather valuable, critical information to ensure you are fully informed on where the data is and how it is being handled, thereby taking responsibility to ensure that there are adequate controls to protect the data. This is the essence of the Schrems II ruling.

3. Assess risk and prioritize amendments to supplier contracts

It will be necessary to prioritize the contracts which need amending. Ask the following:

  • What data is being used? GDPR applies to all personal data, but particular care should be taken when the data is sensitive, such that it relates to children and “special categories” of data, e.g., health data.
  • What measures do you have in place already, and what further technical and organizational protections might you need?
  • Where is your data transferred? For some inter-country transfers, nothing different is required (for example countries where there is an adequacy decision, such as the UK, Canada, and Switzerland)

4. When applying the New SCCs, select the correct module(s) for your supplier contracts

While SCCs cannot be negotiated, there is a modular approach to applying them to contracts, and the selection of which module depends on the relationship determined by assessing the processing of data. Selecting the correct module(s) thereby ensuring the correct contractual obligations are in place, is essential for compliance. The module to be inserted into the contract amendment can be determined by identifying certain activities.

Here are some illustrations:

  • Controller to controller - (Module 1). For example, likely to apply when buying an airline ticket on Skyscanner: both Skyscanner and the airline company is likely to control how and why the data is processed.
  • Controller to processor - (Module 2). For example – likely to apply when a company in EEA sends data originating in the EEA for processing outside the EEA.
  • Processor to processor - (Module 3). This is effectively a sub-processing contract.
  • Processor to controller - (Module 4). This module contains clauses specifically for situations where a processor, subject to the GDPR, transfers data to a third country controller which is not automatically subject to the GDPR.

Future-proofing your Schrems II remediation

Regulators are increasingly looking to companies to be proactive. It requires forward-thinking into which other regulations are likely to impact your organization (for example, California and Virginia in the US), as countries become more sophisticated in their approach to data privacy.  Additionally, while SCC compliance is mandatory; regulators see this as the first step to ensuring data privacy is being addressed.  SCC compliance is the starting point that must be furthered operationally within an organization to ensure that companies are also “walking the walk.”

Accordingly, use the process of adapting your SCCs as an opportunity to:

  • Build a mapping of data transfers you currently have in place.
  • Track and maintain the contracts to which these relate.
  • Track the measures in place to protect the data being transferred.
  • Ensure that internal processes and technology infrastructure are adequate/up to date.

While it is still a little over six months until the December 2022 deadline, you should take steps now if you haven’t yet to ready your organization. Using the checklist, adapting your SCCs, and maintaining it will make it easier to adapt to changing data privacy regulations in the future. 

Related Blogs

ISO 20022 Enhanced Data - The Golden Standard
  • 5 months 4 weeks ago 04:00 am
Data Compression Strategies
  • 6 months 1 week ago 02:00 am

Other Blogs