The new SCCs - top tips from our privacy experts

Charlotte Bossen NielsenCharlotte Bossen Nielsen
Written by
Charlotte Bossen Nielsen
November 26, 2022

On Wednesday, we had the pleasure of hosting a virtual panel discussion on the new SCCs featuring a panel of privacy experts.

Read on for their best advice and insights to help get your contracts ready.

Aušra Mažutavičienė - Head of Privacy at Trustpilot

  1. Assess your vendor list (if you don't have one - start with that!) and determine which vendor contracts actually require new SCCs to be incorporated. You probably don't need to update all your vendor agreements, just the ones where the vendor does not fall within the scope of the GDPR.
  2. For the vendors that actually require new SCCs called out in the contract, prioritise them based on the processing operations, i.e. start with your sub-processors, biggest vendors who have access to your internal business systems, process sensitive or high volumes of personal data, etc.
  3. Make sure you get the vendors to complete all the relevant annexes of the SCCs to give you a solid ground to complete your TIA (transfer impact assessment).

Francesco Perrone - Head of Data Privacy & Compliance at Game Analytics

  1. Always start from your Article 30 data mapping and ISO27001 annotated gap analysis when prioritizing your contract compliance efforts.
  2. Maintain a "Local Law Assessment" to support your stakeholders cooperation activities.
  3. Always perform a preliminary TIA (transfer impact assessment) not only to understand how to ensure compliance, but to determine if the transfer at hand is necessary at all. 

Niels-Peter Kjølbye, Attorney-at-law & Associate Partner at Donatzky & Partnere

  1. Take the initiative to finish your own risk assessments.
  2. Use the risk assessment to set your own fair standard for the most important negotiation/documentation points of the SCC’s (security measures, authorization regarding sub-processors, notification deadline for change of sub-processors, and potential supplementary measures to the SCC’s).
  3. Do not rely on the EU/US version 3 transfer agreement to solve everything for US transfers.

Stine Mangor Tornmark, Co-founder and CEO at Openli

  1. Have an overview of all your data processors.
  2. Look at the DPA with each processor and find out where they are located and who they use as sub processors. Anyone located or processing data outside the EU, write to them and get the SCCs.
  3. Remember that many are listing their sub processors incorrectly so take a close look at the list. 

A big thank you to Aušra, Francesco, Niels-Peter and Stine for sharing their time and expertise with us.