Subscribe

How Canadian Brands Doing Business with the EU Must Comply with New Model Contracts

By Ritchie Po
0

Retail industry news delivered directly to you. Subscribe to Retail-Insider.

What’s Changed?

The EU permits businesses to transport personal data of European data subjects outside of Europe as long as a company receiving that personal information uses the EU-approved Standard Contractual Clauses (“SCCs”) in their service agreement contracts. The SCCs were revised on June 4, 2021. Any brand that collects their EU customers’ personal information needs to ensure that their service agreements have SCCs in place, or they will no longer be able process their EU clients’ information or do business in the EU.

How Will This Affect My Brand?

You will need to make sure that you comply with the EU regulations and use these new contractual clauses in the following situations, even if you’re based in Canada or any other country outside the EU:

  • If you have a large European clientele and need to transport their personal information back and forth between Canada and the EU
  • If you use IT services based in the EU and regularly transfer personal information back and forth
  • If you have an office in the EU and EU-based employees

If your brand does business in the EU, your company is subject to the General Data Protection Regulation (GDPR) and likely rely on the SCCs which were enacted as part of the GDPR to transfer personal data across borders in the course of your business. This ensures that even if the laws differ where you are and where your customer resides, that their personal data is sufficiently protected. SCCs are often included in service agreements or contracts where personal data is transferred from an EU country to non-EU nation, and are almost always used within the EU to transfer personal data across borders. This has ramifications on the data that you can share with your supply chain. Here are some of the changes to the new set of SCCs.

Processing of Personal Data

The GDPR applies if you are “processing” – collecting, using, disclosing, and storing – personal data concerning identifiable individuals. In the words, any personal information you gather from your EU customers is subject to this law. Even if your European clientele does not comprise a large component of your customer base at this time, once your business expands into that market and beyond, you should be able to demonstrate compliance with the GDPR.

Any business that makes decisions on how personal data is to be processed is known as a “controller” for the purposes of the GDPR. Any sub-contractors who process personal data on the controller’s instructions are known as “processors”. The terminology is important, as the obligations differ according to a company’s role in any B2B arrangement where personal data is being transferred.

Transfer of Personal Data

Chances are, you are not only processing personal data from customers, but you are also using a number of contractors and third-party vendors to make your business run. The revised SCCs are intended to protect customer privacy in any B2B transfer of personal data. This may include, but is not limited to, the following:

  • Credit card payment processing
  • Market research data analysis
  • Customer profiling
  • Accounting, payroll, and other human resource-related functions (because GDPR also applies to your EU-based employees, too)

In other words, the GDPR applies not just to your business, but to your entire supply chain as well.

Territorial Scope

One of the growing pains in a business, particularly as the world has become increasingly virtual in terms of service delivery due to the Covid-19 pandemic, is that data privacy protection laws can vary amongst countries, and sometimes they even vary within the same country. For instance, in Canada, PIPEDA governs all privacy-sector entities, but provinces have their own versions of the same legislation that imposes stricter conditions on data transfer. But even with those laws in place, if a Canadian retailer processes personal data of EU customers, they must ensure that they and their service providers comply with the GDPR requirements. The challenge is in ensuring you comply with each applicable legislation.

Obligations: Module-based data transfers

The main change to the SCCs is that the new clauses are tailor-made and easily adaptable to B2B transfers of personal data. Although the previous version of the SCCs (which you may have right now with your third-party vendors) impose similar obligations, there are ambiguities in certain areas. The revised SCCs are intended to clarify these ambiguities and make the obligations easier for a business to understand and interpret.

The new module-based SCCs are actually more user-friendly and less ambiguous in terms of how data transfers take place and the safeguards for those transfers to take place. By using a scenario-based module, you and your privacy and legal teams can use the appropriate SCCs applicable to your business arrangement. Here are some examples of how the new scenarios apply to a company:

  • Module 1 – controller to controller transfer: you are a retailer transferring personal data on EU customers to another retailer, and both you and your retailing partner make decisions on how data is to be processed. An example is creating a customer database to whom you perform directed marketing in a joint effort with another business.
  • Module 2 – controller to processor transfer: you provide personal data to a third-party marketing firm to gather customer feedback and intel on an advertising campaign or a recent product launch. The marketing firm takes instructions from you on how to process the data.
  • Module 3 – processor to processor transfer: your third-party bookkeeping company provides your customer personal data to a third-party IT solution firm to crunch data.
  • Module 4 – processor to controller transfer: your third-party actuary has processed financial information relating to your workforce (on which you provided instructions) and provides you with a detailed financial report.

Because the revised SCCs are tailored specifically to outline the minimum legal requirements based on data transfer in a B2B relationship, they are intended to be more business-friendly than the original SCCs.

The revised SCCs also have considerable legal consequences. In the event of a privacy breach, a business characterized as a data controller may be held liable for any breaches caused by a processor, due to their position in the business relationship as a head contractor. The SCCs are intended to minimize risk by setting requirements for data protection to limit liability and to demonstrate due diligence. While the new SCCs have not yet been challenged in court, it is expected that they will more clearly outline contractual obligations in any transfer of personal data in a B2B relationship involving at least one EU-based party to that contract.

The Timeline: When do I have to be compliant?

The current set of SCCs already in place can be used in new contracts until September 27, 2021. The advent of the revised SCCs does not invalidate any agreements you currently have with a third-party vendor that processes personal data on your company’s behalf. However, with the implementation of the revised SCCs, it may not be worthwhile to use the soon-to-be-obsolete versions and to renegotiate the deal.

There is a transition period to align your current SCCs with the revised version. The EU has given a deadline of December 22, 2022, for all companies using the SCCs to renegotiate their contracts and include the revised SCCs into agreements where there is a transfer of personal data across borders.

The effects of non-compliance are unknown at this time. However, a cautionary tale can be gleaned by the demise of the US-EU Privacy Shield, a legal framework that at one time permitted the transfer of personal data between the US and the EU. The Privacy Shield was struck down in the European Court of Justice in July 2020, effectively ending the transfer of personal data, except in cases where a company had used SCCs in their agreements with their service providers. Companies that did not use the SCCs had to scramble to renegotiate all of their agreements with service providers to comply with the GDPR.

How can Kobalt help?

Kobalt is an IT security services firm serving small to medium sized businesses (SMBs) based in Vancouver, BC, with services to the retail sector. As part of their service module, Kobalt offers data privacy gap analysis and compliance services to SMBs, with a focus on complying with applicable privacy laws such as the GDPR Kobalt’s Privacy Practice Lead, Ritchie Po, is a Certified Information Privacy Officer with both Canadian and EU (GDPR) designations. In January 2021, Mr. Po presented on the topic of Bill C-11 and how changes to Canadian federal data privacy laws can affect retailers in the future.

If you are interested in discussing GDPR compliance and other IT security-related services, contact Ritchie Po at:Ritchie.po@kobalt.io.

*Partner content. To work with Retail Insider, email craig@retail-insider.com

Main Archive

Article Author

Ritchie Po
Ritchie Po
Ritchie Po is a privacy and cybersecurity lawyer based in Vancouver, with considerable experience in data breach handling and technology procurement. He runs his own practice focusing on data privacy law and is a legislative consultant. He is also the original copy editor for Retail Insider.

More From The Author

Luxury Resell Boutique Mine & Yours Opens Impressive Storefront in Vancouver’s...

Ritchie Po -
The popular retailer has been in business for almost a decade and is now looking at expanding into other markets in Canada.
Consumer protection, law and justice concept with man's hand holding magnifying glass.

Free Zoom Webinar on January 21 on Bill C-11 and its...

Ritchie Po -
The webinar will discuss privacy law which has implications for Canadian retailers.

RECENT RETAIL INSIDER VIDEOS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -

Latest Stories

No posts to display

Elevating Canadian Retail: How JLL’s Expertise Reshapes Property Management [Interviews]

Mario Toneguzzi -

Gen Z’s Digital Upbringing Meets a Passion for Tangible Retail and Authentic Brands [Interview]

Mario Toneguzzi -

Interview with Giant Tiger’s New CEO Gino DiGioacchino on the Future of the Iconic Canadian Retailer [Interview]

Mario Toneguzzi -

Purdys Chocolatier Expands Footprint with Pop-Up Stores [Interview]

Mario Toneguzzi -

Colliers Report Emphasizes the Retail Advantage of Bridging the Digital-Physical Divide [Interview]

Mario Toneguzzi -

Preview of ICSC@CANADA Conference 2023: Retail, Technology, and Networking Opportunities in Toronto [Interview]

Retail Insider -

Canadian Grocers Take a Page from Carrefour’s Playbook to Tackle ‘Shrinkflation [Op-Ed]

Sylvain Charlebois -

Jeweller Mejuri Debuts Personalized App and Innovative Membership Program; Plans Expansion with 5 New Stores [Co-Founder Interview]

Mario Toneguzzi -

Fast-Casual Restaurant Concept MightyBird Opening 1st Location in Toronto in a Partnership [Interviews]

Mario Toneguzzi -

KIT + ACE Launches Store Expansion in Canada Under New Ownership [Interview]

Mario Toneguzzi -

Casual Steakhouse Chain MR MIKES Expanding Further in Canada [Interview]

Mario Toneguzzi -

Canadian Retail Sales: A Slight Recovery Amidst Economic Challenges [J.C. Williams Group Analysis]

Retail Insider -

Bloor Street Retail Transformation: Luxury Brands, Renovations, and New Openings in Toronto [Podcast]

Retail Insider -

Ricardo’s Kandy Korner to Open Flagship Candy Store at CF Toronto Eaton Centre in Toronto [Interview]

Mario Toneguzzi -

PizzaForno Expands Into Toronto’s Public Transit System, Sets Sights on Airport Locations for Automated 3-Minute Pizzas [Interview]

Mario Toneguzzi -

Calgary’s Retail Space Crunch Drives Surge in Rental Rates and Demand [Report]

Mario Toneguzzi -

Lush Cosmetics Sets Ambitious Expansion Plans for Canada Including New Spa Locations, Services, and Entertainment Partnerships [Interview]

Shelby Hautala -

Canadian Consumers Adjust to Higher Cost of Living [Survey/Video Interview]

Mario Toneguzzi -

Canadian Shoppers Embrace Generative AI for Shopping Suggestions: Report

Mario Toneguzzi -

Inside the New KITH Store on Yorkville Avenue in Toronto [Photos]

Craig Patterson -

Canadians Gear Up for Early Holiday Shopping Amid Economic Uncertainty [Feature Report]

Mario Toneguzzi -

Follow us

4,265FansLike
6,734FollowersFollow
10,764FollowersFollow

all-time Popular

spot_img

About

Contact

Media

Follow

© 2023 Retail Insider Media Ltd. All Rights Reserved. The content on this website is protected by the copyrights of Retail Insider Media Ltd. or the copyrights of third parties and used by agreement. No part of any of the content of this website may be reproduced, distributed, modified, framed, cached, adapted or linked to, or made available in any form by any photographic, electronic, digital, mechanical, photostat, microfilm, xerography or other means, or incorporated into or used in any information storage and retrieval system, electronic or mechanical, without the prior written permission of Retail Insider Media Ltd. or the applicable third party copyright owner.