Update Your Contracts Incorporate New Standard Contractual Clauses

The world of data privacy continues to evolve at an incredible rate. After groundbreaking changes related to the passage of the General Data Protection Regulation (GDPR) in May 2018 and the Schrems II ruling in July 2020, invalidating the US-EU Privacy Shield, it was clear that the EU urgently needed to update the language in standard contractual clauses (“SCCs” or “Model Clauses”). In June of 2021, new Model Clauses were established. The language in these model clauses have been approved by the European Commission and can be used as standard data protection and data transfer terms in contracts that govern the protection of EU personal data when transferred outside the EU.

Modern Model Clauses for an evolving data protection landscape 

The earliest set of Model Clauses were adopted in 2001. While they have been refined, supplemented and revised a few times since then, the usage of personal data has changed dramatically in the last 20 years and it became necessary to create a new set of Model Clauses. The new Model Clauses are designed for data processors and controllers, providing both groups with language to govern the transfer and protection of personal data. 

The clauses are grouped into sets of designated language for each respective role in a data transfer activity. This modular approach allows for any combination of processors and controllers involved in a data transfer, even including the possibility that there may be more than two parties involved. There are even improvements that allow for additional parties to be included in the contractual framework after the initial agreement is completed (the “docking clause”).

The updated SCCs are in line with fundamental individual rights provided by GDPR and can account for data transfers that fit a broad range of circumstances related to the geographical location of data subjects, controllers and processors. There’s also specific language included in the Model Clauses that address Schrems II requirements regarding local laws and data access for public authorities. This includes a standard toolbox of agreement language addressing the Schrems II judgment that can serve as a starting point. From that baseline version, Model Clauses also include a series of supplementary clauses related to specific technical security measures like encryption or pseudonymised data.

What happens next?

Companies that rely on agreements to manage the transfer or use of data from customers or employees in EU countries need to act quickly. New agreements need to make use of this new language immediately, and legacy contracts will have until 27 December, 2022, to make necessary updates to outdated terms. That leaves very little time for organisations to analyse their library of contracts, identify terms related to data transfers, categorise them properly and adopt the new Model Clauses. 

In-house legal teams and outside counsel will have to find a way to complete the work efficiently to meet compliance deadlines.

The new Model Clauses are lengthy documents containing primarily standardised text. Throughout the clauses, there are fields that need to be populated with information specific to that contract—names of the data processor and controller, the type of data being processed, any other relevant parties, etc. Sorting through all the pages to find the correct place for this information can be extremely time intensive. At scale, it can turn into an inefficient use of critical contracting resources.

For organisations that do business at a global level, many data processing agreements with suppliers and vendors will need to be updated and signed again. Contracting and procurement teams need to determine a strategy to efficiently update language in individual contracts or build a streamlined process to update clauses in large batches.

Updating contracts with new clauses 

To ensure that all contracts are updated with the new Model Clauses, there’s a simple, linear remediation process. Teams need to have the tools and processes in place to execute the following workflow steps:

• Discover/collect relevant data: Gather together all relevant agreements and supporting documentation. This is best done when all the documents are stored in similar file types and in similar locations. Minimising the differences between documents makes analysis much simpler.
• Assess exposure: Once all of the relevant documents have been produced and collected, contract specialists need to analyse the existing information to identify opportunity, risk or areas to update.
• Triage and categorise exposure: After the analysis is completed, the team needs to sort contracts into groups based on the work that needs to be done. It’s also critical here to pinpoint the agreements that need immediate action and those that can wait.
• Ongoing communication: The contract updating process should be done with maximum stakeholder visibility. It’s important to notify any impacted parties of findings from contract analysis and keep them aware of any upcoming activities.
• Amend and negotiate contracts: All involved parties need to agree on the terms of a new agreement, including the updated Model Clauses. 
• Sign contracts: Codify the new updates with signatures to complete the agreements.
• Track process: Determine an appropriate cadence to review progress made toward new commitments. Understand which parties need to make specific changes and hold those parties accountable
• for complying with the new commitments.

How can DocuSign help?

DocuSign offers some of today’s most advanced tools to help contracting teams update contract templates, review existing documents and implement broad changes. These tools are especially effective for teams looking to effectively manage broad revisions across high volumes of contracts. Here’s a short list of some cutting-edge solutions to consider as your team responds to the Model Clause updates. 

• Electronic Signature: Whether it’s new contracts that need to be finalised or updated agreements that need to be updated, documents with the new Model Clauses have to be signed to go into effect. DocuSign eSignature is the fastest, easiest way for any number of global signers to complete contracts.
• Contract analytics: The fastest way to analyse existing agreements for compliance with new legal evolutions is artificial intelligence technologies. DocuSign Insight combines natural language processing, machine learning and rules-based logic to find, filter and analyse agreements quickly.
• Contract lifecycle management: Streamline the agreement lifecycle by connecting end-to-end processes with DocuSign CLM. Use smart contract management to automate manual tasks, remove unnecessary manual work, align complex workflows, eliminate errors and reduce risks.
• Guided Forms: Rather than reading through the full text of every new clause that needs to be included in a contract, Guided Forms provides a step-by-step experience that quickly moves among the nonstandard portions of an agreement. With Guided Forms, a contracting specialist can quickly create a form that collects only the unique details needed to complete an updated Model Clause and decides time spent on the redundant standard language sections.
• Clickwrap agreements: For some organisations, the new Model Clauses will require vendors and customers to agree to new terms, particularly with data processing agreements. DocuSign Click offers a seamless, embedded experience for consumers, allowing them to agree to new terms with a single click. Information about which customers agreed to specific terms and when they did so is kept in a detailed audit history.

DocuSign use of Binding Corporate Rules

This article is directed to organisations who elect to use Standard Contractual Clauses as the applicable data transfer mechanism recognised under Article 46(2)(c) of the General Data Protection Regulation (“GDPR”).  However, it should be highlighted that other data transfer mechanisms are also recognised under Article 46(2) of the GDPR, specifically the Binding Corporate Rules (“BCRs”). BCRs are widely considered the "gold standard" for the transfer of personal data owing to the rigorous scrutiny by EU regulators in approving BCRs on a case-by-case basis.  DocuSign is proud to evidence its commitment to privacy by being one of the limited number of organisations globally with approved BCRs.  . 

Customers can rely on DocuSign BCRs as an approved data transfer mechanism with respect to its use of DocuSign Services for processing its personal data. .

*This blog is offered for general information purposes. It is not intended as, nor is it a substitute for, legal advice.