Update Your Contracts to Comply with New Standard Contractual Clauses
The world of data privacy continues to evolve at an incredible rate. After groundbreaking changes related to the passage of the General Data Protection Regulation (GDPR) in May 2018 and the Schrems II ruling in July 2020, invalidating the US-EU Privacy Shield, it was clear that the EU urgently needed to update the language in standard contractual clauses (“SCCs” or “Model Clauses”). In June of 2021, new SCCs were established. The language in these model clauses has been approved by the European Commission and should be used as standard data protection and data transfer terms in contracts that govern the processing of EU personal data.
Modern SCCs for a new data protection landscape
The earliest set of SCCs (controller-to-controller) were adopted in 2001. While they have been refined, supplemented and revised a few times since then, the usage of personal data has changed dramatically in the last 20 years and it became necessary to create a new set of Model Clauses. The new SCCs are designed for data processors and controllers, providing both groups with language to govern the transfer of data.
The clauses are grouped into sets of designated language for each data transfer scenario. This modular approach allows for any combination of processors and controllers to be involved in a data transfer, even including the possibility that there may be more than two parties involved. There are even improvements that allow for additional parties to be attached after the initial agreement is completed (the “docking clause”).
The updated SCCs are in line with consumer protections provided by GDPR and can account for data transfers that fit a broad range of circumstances related to the geographical location of consumers, controllers and processors. There’s also specific language included in each of the SCC modules that can address Schrems II requirements regarding local laws and data access for public authorities. This includes a standard toolbox of agreement language that complies with the Schrems II judgment that can serve as a starting point. From that baseline copy, SCCs also include a series of supplementary clauses related to specific circumstances like encryption or pseudonymised data.
What happens next?
Companies that rely on agreements to manage the transfer or use of data from consumers or employees in EU countries need to act quickly. New agreements need to make use of this new language immediately, and legacy contracts will have a one-year grace period to make necessary updates to outdated terms. That leaves very little time for organisations to analyse their library of contracts, identify terms related to data transfers, categorise them properly and adopt the new SCC language.
In-house legal teams and outside counsel will have to find a way to complete the work efficiently to meet compliance deadlines.
The new SCCs are lengthy documents containing primarily standardised text. Throughout the clauses, there are fields that need to be populated with information specific to that contract—names of the data processor/controller, the type of data being processed, any other relevant parties, etc. Sorting through all the pages to find the correct place for this information can be extremely time intensive. At scale, it can turn into a wasteful use of critical contracting resources.
For organisations that do business at a global level, many data processing agreements with suppliers and vendors will need to be updated and potentially signed again. Contracting and procurement teams need to determine a strategy to efficiently update language in individual contracts or build a streamlined process to update clauses in large batches.
Updating contracts with new clauses
To ensure that all contracts are updated with the correct SCCs, there’s a simple, linear remediation process. Teams need to have the tools and processes in place to execute the following workflow steps:
- Discover/collect relevant data: Gather together all relevant agreements and supporting assets. This is best done when all the data is stored in similar file types and in similar locations. Minimising the differences between documents makes analysis much simpler.
- Assess exposure: Once all of the information has been produced and collected, contract specialists need to analyse the existing information to identify opportunity, risk or areas to update.
- Triage and categorise exposure: After the analysis is completed, the team needs to sort contracts into groups based on the work that needs to be done. It’s also critical here to pinpoint the agreements that need immediate action and those that can wait.
- Ongoing communication: The contract updating process should be done with maximum stakeholder visibility. It’s important to notify any impacted parties of findings from contract analysis and keep them aware of any upcoming activities.
- Amend and negotiate contracts: All involved parties need to agree on the terms of a new agreement, including the updated SCCs. To be sure the correct clause is included, the processors and controllers need to be clearly identified at this point.
- Sign contracts: Codify the new updates with signatures to complete the agreements.
- Track process: Determine an appropriate cadence to review progress made toward new commitments. Understand which parties need to make specific changes and hold those parties accountable for maintaining the new standards.
How can DocuSign help?
DocuSign offers some of today’s most advanced tools to help contracting teams update contract templates, review existing documents and implement broad changes. These tools are especially effective for teams looking to effectively manage broad revisions across high volumes of contracts. Here’s a short list of some cutting-edge solutions to consider as your team responds to the SCC updates.
- Electronic Signature: Whether it’s new contracts that need to be finalised or updated agreements that need to be updated, documents with the new SCCs have to be signed to go into effect. DocuSign eSignature is the fastest, easiest way for any number of global signers to complete contracts.
- Contract analytics: The fastest way to analyse existing agreements for compliance with new legal evolutions is artificial intelligence technologies. DocuSign Insight combines natural language processing, machine learning and rules-based logic to find, filter and analyse agreements quickly.
- Contract lifecycle management: Streamline the agreement lifecycle by connecting end-to-end processes with DocuSign CLM. Use smart contract management to automate manual tasks, remove unnecessary manual work, align complex workflows, eliminate errors and reduce risks.
- Guided Forms: Rather than reading through the full text of every new clause that needs to be included in a contract, Guided Forms provides a step-by-step experience that quickly moves among the nonstandard portions of an agreement. With Guided Forms, a contracting specialist can quickly create a form that collects only the unique details needed to complete an updated SCC and decides time spent on the redundant standard language sections.
- Clickwrap agreements: For some organisations, the new SCCs will require vendors and customers to agree to new terms, particularly with data processing agreements. DocuSign Click offers a seamless, embedded experience for consumers, allowing them to agree to new terms with a single click. Information about which customers agreed to specific terms and when they did so is kept in a detailed audit history.
*This blog is offered for general information purposes. It is not intended as, nor is it a substitute for, legal advice.