As the new Standard Contractual Clauses (SCC) enter into force, companies hurry to facilitate the flow of data in line with new rules. Not having been updated after the GDPR came into force, the previous SCC version already needed a major overhaul when the European Court of Justice published its famous Schrems II decision and forced companies to immediately review their international data transfers.
We spoke with the team at global law firm, Fieldfisher, on how they help clients navigate the new SCC rules through a free digital tool: mySCCcreator.
Running on the BRYTER no-code service automation platform, mySCCcreator allows users to assemble the right contract template with clauses relevant to each case. By answering questions, users cover different data transfer constellations, ultimately resulting in a smooth transition to the new standards.
Enter new SCC
In June 2021, the European Commission published its final Implementing Decision adopting new standard contractual clauses for the transfer of personal data to third countries.
As this decision takes effect on the 20th day following the publication, new rules have been in use since 27 June 2021. However, the decision that approves the current SCC is repealed in three months from the effective date of the new decision. There is also a transitional provision, under which the current contractual clauses provide sufficient safeguards for data transfers for additional 15 months from the effective date.
Despite the complex regulatory SCC framework, the revised clauses are a comprehensive project that aims to add more protection to data transfers between the EU and third countries. The SCC can be used whenever the exporting party is subject to the GDPR – even if the data exporter is not established in the EU.
If a controller is subject to the GDPR on an extra-territorial basis, for example, because it is apparent that it intends to offer goods and services to data subjects in the EU (i.e. Art. 3 (2)(a) of the GDPR), and that controller wishes to transfer EU personal data to a processor, it can now use the SCC to do this.
Challenges of implementing new rules
Oliver Süme, Partner, Technology, Outsourcing and Privacy, at Fieldfisher, spoke to us about the challenges their clients face when implementing the new clauses.
“SCC are currently the most important legal ground for international data transfer under the GDPR. And clients need to assess their existing data transfers and vendor relations and adjust and upgrade to the new SCC.”
“However, the challenge lies in the fact that no one to one adjustment is possible, as the new set of SCC provides more flexibility with regard to relations as processor or controller. Plus, it allows for combining different relations in a single contract, where the various SCC modules can be combined. And it is this combination that is challenging to clients. But with the mySCCcreator, these combinations are a lot more comfortable to navigate.”
By enabling clients to assess necessary adjustments on a case-by-case basis, the team at Fieldfisher aims to take the pressure away from rightly managing data flows.
“Our goal is to help clients assess existing contracts – within the company, with vendors, and with other third parties, with regard to international data transfers. We also advise clients on how to carry out data transfer impact assessments and implement supplementary measures.”
Building a solution that aligns with specific user needs
We spoke to Melanie Ludolph, Associate, Technology, Outsourcing and Privacy, at Fieldfisher, about how Fieldfisher uses technology to deliver advice to clients as well as all interested parties.
“With mySCCcreator, we provide a free-of-charge tool to all interested users and not only clients. The tool we’ve built is also a good resource for us within the firm because it allows us to generate the document with relevant modules. It is a good starting point to then further tailor our advice to our clients, aligned with their specific needs.”
“In a nutshell, mySCCcreator is a tool to generate a personalised version of the 2021 SCC for the transfer of personal data to third countries. Users fill out a simple questionnaire, and based on their answers, the tool leads them to a document with all the modules of the SCC that they need.”
“We’ve designed the tool in such a way, that the questions are tailored to the needs of the user, so they never get asked anything we do not need the answer to when making the assessment. This helps relieve the users of additional overhead, allowing them to focus on key aspects of SCC compliance.”
Besides providing free legal advice to clients as they align with the new clauses, the Fieldfisher tool also aims to assist all interested parties in a way that, as Melanie sees it, empowers clients to focus on essential legal issues surrounding the SCC. “The result of the questionnaire is an editable word file where the user only has to fill in the information in the appendices. This saves a lot of time, and as a result, the users can focus on most important legal issues related to the SCC, such as documenting a transfer impact assessment, where we can additionally assist them” explains Melanie.
Building with BRYTER
Lars Ippich, Legal Innovation Officer at Fieldfisher, sheds light on the process of building a digital solution such as mySCCcreator with no-code.
“BRYTER is a great starting point to quickly deploy a new tool. It allows us to build and iterate quickly and makes deployment quite easy for us. With its modular and abstract approach to the content of a module, BRYTER can adapt to fit around ideas from a wide range of topics.”
All current contracts need to be re-papered until next year, but starting on September 27th all new contracts are required to make use of the new SCC already, leaving companies strapped for time, which is why it was vital to roll out the tool fast.
“We were able to develop this tool incredibly quickly by getting together with a number of experts in their respective fields. In just two weeks, the effort of our lawyers as domain experts around data privacy was combined with the technical knowledge that Fieldfisher has built up in-house, as well as help from our document processing specialists.
“This has only been possible by relying on the knowledge that Fieldfisher has built around BRYTER tools for a long time. We have been using BRYTER and other tools to deploy several solutions to a number of Fieldfisher offices, not just in Germany, but in the United Kingdom and Belgium as well.”
As an industry expert on data protection and privacy rules, Oliver also reflected on the plans to utilize no-code further in launching new innovative digital solutions for clients. “There is great potential in using BRYTER for Data Protection related tools, since many workflows can be modelled into decision trees, which is exactly what BRYTER tools are built around. We are currently exploring a number of ideas in our effort to serve our clients the best way we can.”
To find out more, visit Fieldfisher’s website. Alternatively, if you want to learn more about how you can quickly and easily build self-service applications without code, book an ideation session with one of our experts.