The EU permits businesses to transport personal data of European data subjects outside of Europe as long as a company receiving that personal information uses the EU-approved Standard Contractual Clauses (“SCCs”) in their service agreement contracts. The SCCs were revised on June 4, 2021. Any brand that collects their EU customers’ personal information needs to ensure that their service agreements have SCCs in place, or they will no longer be able process their EU clients’ information or do business in the EU.
How Will This Affect My Brand?
You will need to make sure that you comply with the EU regulations and use these new contractual clauses in the following situations, even if you’re based in Canada or any other country outside the EU:
- If you have a large European clientele and need to transport their personal information back and forth between Canada and the EU
- If you use IT services based in the EU and regularly transfer personal information back and forth
- If you have an office in the EU and EU-based employees
If your brand does business in the EU, your company is subject to the General Data Protection Regulation (GDPR) and likely rely on the SCCs which were enacted as part of the GDPR to transfer personal data across borders in the course of your business. This ensures that even if the laws differ where you are and where your customer resides, that their personal data is sufficiently protected. SCCs are often included in service agreements or contracts where personal data is transferred from an EU country to non-EU nation, and are almost always used within the EU to transfer personal data across borders. This has ramifications on the data that you can share with your supply chain. Here are some of the changes to the new set of SCCs.
Processing of Personal Data
The GDPR applies if you are “processing” – collecting, using, disclosing, and storing – personal data concerning identifiable individuals. In the words, any personal information you gather from your EU customers is subject to this law. Even if your European clientele does not comprise a large component of your customer base at this time, once your business expands into that market and beyond, you should be able to demonstrate compliance with the GDPR.
Any business that makes decisions on how personal data is to be processed is known as a “controller” for the purposes of the GDPR. Any sub-contractors who process personal data on the controller’s instructions are known as “processors”. The terminology is important, as the obligations differ according to a company’s role in any B2B arrangement where personal data is being transferred.
Transfer of Personal Data
Chances are, you are not only processing personal data from customers, but you are also using a number of contractors and third-party vendors to make your business run. The revised SCCs are intended to protect customer privacy in any B2B transfer of personal data. This may include, but is not limited to, the following:
- Credit card payment processing
- Market research data analysis
- Customer profiling
- Accounting, payroll, and other human resource-related functions (because GDPR also applies to your EU-based employees, too)
In other words, the GDPR applies not just to your business, but to your entire supply chain as well.
One of the growing pains in a business, particularly as the world has become increasingly virtual in terms of service delivery due to the Covid-19 pandemic, is that data privacy protection laws can vary amongst countries, and sometimes they even vary within the same country. For instance, in Canada, PIPEDA governs all privacy-sector entities, but provinces have their own versions of the same legislation that imposes stricter conditions on data transfer. But even with those laws in place, if a Canadian retailer processes personal data of EU customers, they must ensure that they and their service providers comply with the GDPR requirements. The challenge is in ensuring you comply with each applicable legislation.
Obligations: Module-based data transfers
The main change to the SCCs is that the new clauses are tailor-made and easily adaptable to B2B transfers of personal data. Although the previous version of the SCCs (which you may have right now with your third-party vendors) impose similar obligations, there are ambiguities in certain areas. The revised SCCs are intended to clarify these ambiguities and make the obligations easier for a business to understand and interpret.
The new module-based SCCs are actually more user-friendly and less ambiguous in terms of how data transfers take place and the safeguards for those transfers to take place. By using a scenario-based module, you and your privacy and legal teams can use the appropriate SCCs applicable to your business arrangement. Here are some examples of how the new scenarios apply to a company:
- Module 1 – controller to controller transfer: you are a retailer transferring personal data on EU customers to another retailer, and both you and your retailing partner make decisions on how data is to be processed. An example is creating a customer database to whom you perform directed marketing in a joint effort with another business.
- Module 2 – controller to processor transfer: you provide personal data to a third-party marketing firm to gather customer feedback and intel on an advertising campaign or a recent product launch. The marketing firm takes instructions from you on how to process the data.
- Module 3 – processor to processor transfer: your third-party bookkeeping company provides your customer personal data to a third-party IT solution firm to crunch data.
- Module 4 – processor to controller transfer: your third-party actuary has processed financial information relating to your workforce (on which you provided instructions) and provides you with a detailed financial report.
Because the revised SCCs are tailored specifically to outline the minimum legal requirements based on data transfer in a B2B relationship, they are intended to be more business-friendly than the original SCCs.
The revised SCCs also have considerable legal consequences. In the event of a privacy breach, a business characterized as a data controller may be held liable for any breaches caused by a processor, due to their position in the business relationship as a head contractor. The SCCs are intended to minimize risk by setting requirements for data protection to limit liability and to demonstrate due diligence. While the new SCCs have not yet been challenged in court, it is expected that they will more clearly outline contractual obligations in any transfer of personal data in a B2B relationship involving at least one EU-based party to that contract.
The Timeline: When do I have to be compliant?
The current set of SCCs already in place can be used in new contracts until September 27, 2021. The advent of the revised SCCs does not invalidate any agreements you currently have with a third-party vendor that processes personal data on your company’s behalf. However, with the implementation of the revised SCCs, it may not be worthwhile to use the soon-to-be-obsolete versions and to renegotiate the deal.
There is a transition period to align your current SCCs with the revised version. The EU has given a deadline of December 22, 2022, for all companies using the SCCs to renegotiate their contracts and include the revised SCCs into agreements where there is a transfer of personal data across borders.
The effects of non-compliance are unknown at this time. However, a cautionary tale can be gleaned by the demise of the US-EU Privacy Shield, a legal framework that at one time permitted the transfer of personal data between the US and the EU. The Privacy Shield was struck down in the European Court of Justice in July 2020, effectively ending the transfer of personal data, except in cases where a company had used SCCs in their agreements with their service providers. Companies that did not use the SCCs had to scramble to renegotiate all of their agreements with service providers to comply with the GDPR.
How can Kobalt help?
Kobalt is an IT security services firm serving small to medium sized businesses (SMBs) based in Vancouver, BC, with services to the retail sector. As part of their service module, Kobalt offers data privacy gap analysis and compliance services to SMBs, with a focus on complying with applicable privacy laws such as the GDPR Kobalt’s Privacy Practice Lead, Ritchie Po, is a Certified Information Privacy Officer with both Canadian and EU (GDPR) designations. In January 2021, Mr. Po presented on the topic of Bill C-11 and how changes to Canadian federal data privacy laws can affect retailers in the future.
If you are interested in discussing GDPR compliance and other IT security-related services, contact Ritchie Po at:Ritchie.firstname.lastname@example.org.
*Partner content. To work with Retail Insider, email email@example.com