Schrems II – What does that mean for you?
With the EU Commission’s implementing decision ((EU) 2021/914 COM), all standard contractual clauses for data transfers to third countries must be adapted. This has already been mandatory for new contracts since September 27, 2021, and existing contractual relationships must be adjusted by December 27, 2022.
What do you have to pay special attention to?
Probably the most extensive change is the obligation of the data submitter to conduct a so-called “Transfer Impact Assessment” (abbreviated to “TIA”). This includes a comprehensive risk assessment of third country transfers on a case-by-case basis. Legal peculiarities in the destination country must be taken into account and may entail special contractual, organizational or technical compensatory measures to protect personal data. This can lead to sometimes considerable additional costs for the data recipient and a change in the previous contract conditions.
Consequences of non-compliance
After the deadline of December 27, 2022, fines of up to 4% of annual sales or 20,000,000 euros may be levied if the previous models continue to be used. Claims for damages by those affected and warnings from competitors are further possible consequences. The transparency obligations under data protection law make it easy for third parties to determine whether the new requirements have been implemented, making repression not unlikely. Those who have not yet started updating their standard contractual clauses should do so immediately. The complexity of this process should not be underestimated, and failure to implement it is readily apparent and poses a high risk of liability.
We can assist you in adapting your standard contractual clauses. Feel free to contact us.
© 2023 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.
KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.