Ico Standard Contractual Clauses Consultation

ICO Standard Contractual Clauses Consultation: What You Need to Know

In today`s global business landscape, personal data is often transferred across borders. Companies that operate internationally must ensure that they comply with the EU General Data Protection Regulation (GDPR) when transferring personal data to countries outside the European Economic Area (EEA).

One of the ways to ensure compliance is through the use of Standard Contractual Clauses (SCCs). SCCs are pre-approved contractual terms that regulate data transfers between a data controller in the EU/EEA and a data processor outside the EU/EEA.

The Information Commissioner`s Office (ICO) is responsible for regulating data protection in the UK. The ICO has recently launched a public consultation on their new draft SCCs for international personal data transfers. The consultation is open until December 10, 2021.

Why is this consultation important?

The new SCCs aim to address the challenges posed by the Schrems II decision. This decision invalidated the Privacy Shield, which was a framework for data transfers between the EU and the US. SCCs were deemed a valid method for transferring personal data outside the EEA, but the ruling emphasized the need to ensure that SCCs offer „adequate protection” to the personal data.

The revised SCCs proposed by the ICO are intended to provide greater protection for personal data transfers and to comply with the requirements of the GDPR. It is crucial for businesses to understand the changes proposed in this consultation and provide feedback to ensure that the SCCs reflect the needs of their industry and protect their data.

What are the key changes proposed in the new SCCs?

The proposed SCCs cover four different transfer scenarios, and they include the following key changes:

1. Enhanced provisions for onward transfers – The new SCCs require that a data processor who transfers personal data to another processor or a controller ensures that those parties also comply with the GDPR. There are also additional requirements for sub-processors.

2. Obligation to assess the laws of the recipient`s country – The data exporter must assess the laws and practices of the recipient`s country to ensure that they provide adequate protection for personal data.

3. Additional provisions for data processors – The proposed SCCs require data processors to maintain records of their processing activities and to provide the data exporter with access to these records.

4. More robust provisions for data subjects` rights – The new SCCs provide more robust provisions for data subjects` rights, including their right to information, access, rectification, and erasure.

What should businesses do?

Businesses that transfer personal data outside the EEA should review the proposed SCCs carefully and provide feedback to the ICO by December 10, 2021. The consultation paper and draft SCCs are available on the ICO`s website.

It is also important to review existing contracts and update them if necessary to ensure compliance with the GDPR and the proposed SCCs. Businesses should also ensure that their data processing activities are transparent and that they have appropriate technical and organizational measures in place to protect personal data.

Conclusion

The proposed SCCs aim to provide greater protection for personal data transfers and to comply with the requirements of the GDPR. Businesses that transfer personal data outside the EEA should review the draft SCCs carefully and provide feedback to the ICO by December 10, 2021. Updating contracts, ensuring transparency, and implementing appropriate measures will help businesses comply with the GDPR and protect personal data.