Ultimate resources for SCCs and TIAs - Schrems II

πŸ“š Your go-to overview for hands-on practical resources to deal with Schrems II, SCCs and TIAs

2 years ago   •   3 min read

By Rie Aleksandra Walle
Table of contents
These resources aren't a silver bullet for SCC, Schrems II, TIA or any type of GDPR compliance. They can, however, be useful for and add to your privacy and data protection work.

And only rely on credible sources. If you want to be 100% sure you're dealing with the right documents for standard contractual clauses (SCCs), cf. the Schrems II ruling and Clause 14 on transfer impact assessments (TIAs, also called TRAs - transfer risk assessments, for example by the UK ICO or DTRAs - data transfer risk assessments, by the Dutch government), get them from the main source.

Also see the DPIAs and DTRAs for Microsoft and Google at the end of this article, shared by the Dutch government. πŸ‘‡

πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡Έ And, of course, the resource guide to the EU-US Data Privacy Framework.

PS: Access the GDPR online with all its Articles and Recitals on this ads-free tracking-free site: GDPR.Fan

SCCs main source

  • UPDATE MAY 2022: The European Commission shared a Q&A for the 2021 SCCs, including a few potential shockers. You might want to start with my LinkedIn post on this (that caused a lot of ruckus and, to an extent, disagreement πŸ”₯), but if you'd like to avoid all the drama, here's the direct download link for the PDF.
  • In this overview, we only focus on the SCCs for the transfer of personal data to third countries, with the official text found here.
  • And here's the initial press release from the European Commission. Note, however, that this refers to both sets of new SCCs - for our purposes here you can disregard the one which applies for the use between controllers and processors, effectively a data processing agreement as per Article 28(3).

Confused? Then read my article What are EU standard contractual clauses (SCCs) to make sure you're aware of the (important) difference.

David Rosenthal's TIA Toolbox

David has put down significant work to provide hands-on help for our community - for free. πŸ‘ Check out relevant links below (and give him a thumbs up on his LinkedIn posts).

PS: David visited our Grumpy GDPR podcast to talk about his toolkit and templates. Check out the episode on your usual podcast platform or here.
  • His recent (August 2022) 94-pages Rosenthal Method FAQ on TIAs which is (also) packed with relevant information on FISA 702.
  • His LinkedIn post on a simpler TIA, in particular for intra-group cross-border data flows.
  • His LinkedIn post on an expanded TIA Toolbox which includes a questionnaire for US providers (and other nuggets).
  • His LinkedIn post which links to a 73-pages PDF walkthrough of the new SCCs with numerous relevant questions and answers.
  • Especially useful are the draft template for Transfer Impact Assessments and the flow chart to check international data transfers.

SCCs "generators"

First, the Commission only shared the new SCCs in one, long PDF document... They later added a Word version, but it's still all-in-one. Fortunately, we have more awesome people in our community to helps us.

A special thanks goes to Christopher Schmidt, who not only shares his redline versions of EDPB documents (almost before they've published their final versions!), but also made (probably) the world's first SCC generator.

There are now several other generators out there, but none other I have tried myself. Please share if you think other resources deserve a spot here.

Which module(s) to choose? 🀯

You might not find it straightforward to understand the new structure of the SCCs with four modules and various voluntary clauses. Then this overview from Walder Wyss attorneys, can be helpful: Overview SCCs constellations. Here is a preview of the 5 first scenarios:

Credit: Walder Wyss Ltd.

Other useful resources

Microsoft and Google DPIAs and (D)TIAs

We're fortunate enough to have some really pro-active public sector people who started to address transfer challenges early on, especially from the Dutch government. They have not only put down extensive work in DPIAs and (D)TIAs, but have also shared this publically, including for:

  • Data Transfer Impact Assessment on Microsoft Teams, OneDrive and Sharepoint
  • DPIA Microsoft Teams, SharePoint and OneDrive online
  • DPIA Office 365 for the Web and mobile apps
  • DPIA Office 365 ProPlus
  • DPIA Windows 10 Enterprise
  • DPIA Diagnostic data processing in Microsoft Office ProPlus
  • DPIA Microsoft Intune
  • DPIA G Suite Enterprise and Google Workspace

PS: Got to love their slogan: "Head in the cloud, feet on the ground!"

#Bigtech processors own responses

Finally, some whitepapers and links that could contribute to your understanding of the new SCCs and which are definitely relevant if you use any of these as a sub-processor.

Spread the word

Keep reading