Schrems II – Update your contracts until 27.12.2022

Schrems II – What does that mean for you?

With the EU Commission’s implementing decision ((EU) 2021/914 COM), all standard contractual clauses for data transfers to third countries must be adapted. This has already been mandatory for new contracts since September 27, 2021, and existing contractual relationships must be adjusted by December 27, 2022.

What do you have to pay special attention to?

Probably the most extensive change is the obligation of the data submitter to conduct a so-called “Transfer Impact Assessment” (abbreviated to “TIA”). This includes a comprehensive risk assessment of third country transfers on a case-by-case basis. Legal peculiarities in the destination country must be taken into account and may entail special contractual, organizational or technical compensatory measures to protect personal data. This can lead to sometimes considerable additional costs for the data recipient and a change in the previous contract conditions.

Consequences of non-compliance

After the deadline of December 27, 2022, fines of up to 4% of annual sales or 20,000,000 euros may be levied if the previous models continue to be used. Claims for damages by those affected and warnings from competitors are further possible consequences. The transparency obligations under data protection law make it easy for third parties to determine whether the new requirements have been implemented, making repression not unlikely. Those who have not yet started updating their standard contractual clauses should do so immediately. The complexity of this process should not be underestimated, and failure to implement it is readily apparent and poses a high risk of liability.

We can assist you in adapting your standard contractual clauses. Feel free to contact us.