What would you like to look for?

4 November 2022

International data transfers: Have you updated your contracts?

At the end of December 2022, the transition period for reviewing and updating your contracts and clauses governing international data transfers will end. This means that if you use the European Commission's old "Standard Contractual Clauses" after that date, you will probably no longer be compliant with the GDPR and the Swiss Data Protection Act. We have formulated five questions to find out whether you have a problem – and risk being sanctioned.

The European Commission's "Standard Contractual Clauses" (EU SCC) were updated in June 2021, and the deadline for updating contracts will end at the end of December 2022 under both the GDPR and the Swiss Data Protection Act. Of course, the EU SCC are only needed if you transfer personal data to a third country that has not been recognized as providing an adequate level of data protection and have no other legal basis for doing so. Many companies and their providers use the EU SCC.

You should therefore ask the following five questions in your organization:

  1. Do you use cloud-based services or other international service providers and have not updated your contracts with them since summer 2021 (except for Microsoft)?
  2. Do you have affiliates outside Europe that can access your data or do you provide them with IT services, but either do not have an "Intra-Group Data Transfer Assess-ment" or do have such a contract, but have not updated it since Summer 2021?
  3. Do you have customers in countries outside Europe, and process personal data for them or provide them access to your own personal data, but have not updated your data protection clauses with them since summer 2021?
  4. Are you using the new EU SCC without having notified the Federal Data Protection In-formation Commissioner about their use?
  5. Do you transfer personal data outside Europe using the EU SCC, but have never con-ducted a so-called Transfer Impact Assessment?

If you have to answer any of these questions with a "yes", you should analyze your situation more closely, as you are likely not compliant. 

You can download the flyer here.

We are happy to help you doing so and resolving any issue you may find. To support you, we have created a flyer with these questions and a link to a flow-chart with more information (taken from our "DPC Handbook" with many more instructions on how to handle data protection matters as an in-house data protection coordinator).

An extensive FAQ on the EU SCC has been published here.

Author: David Rosenthal

Category: Data & Privacy