And only rely on credible sources. If you want to be 100% sure you're dealing with the right documents for standard contractual clauses (SCCs), cf. the Schrems II ruling and Clause 14 on transfer impact assessments (TIAs, also called TRAs - transfer risk assessments, for example by the UK ICO or DTRAs - data transfer risk assessments, by the Dutch government), get them from the main source.
Also see the DPIAs and DTRAs for Microsoft and Google at the end of this article, shared by the Dutch government. 👇
SCCs main source
- UPDATE MAY 2022: The European Commission shared a Q&A for the 2021 SCCs, including a few potential shockers. You might want to start with my LinkedIn post on this (that caused a lot of ruckus and, to an extent, disagreement 🔥), but if you'd like to avoid all the drama, here's the direct download link for the PDF.
- In this overview, we only focus on the SCCs for the transfer of personal data to third countries, with the official text found here.
- And here's the initial press release from the European Commission. Note, however, that this refers to both sets of new SCCs - for our purposes here you can disregard the one which applies for the use between controllers and processors, effectively a data processing agreement as per Article 28(3).
Confused? Then read my article What are EU standard contractual clauses (SCCs) to make sure you're aware of the (important) difference.
David Rosenthal's TIA Toolbox
David has put down significant work to provide hands-on help for our community - for free. 👏 Check out relevant links below (and give him a thumbs up on his LinkedIn posts).
- His recent (August 2022) 94-pages Rosenthal Method FAQ on TIAs which is (also) packed with relevant information on FISA 702.
- His LinkedIn post on a simpler TIA, in particular for intra-group cross-border data flows.
- His LinkedIn post on an expanded TIA Toolbox which includes a questionnaire for US providers (and other nuggets).
- His LinkedIn post which links to a 73-pages PDF walkthrough of the new SCCs with numerous relevant questions and answers.
- Especially useful are the draft template for Transfer Impact Assessments and the flow chart to check international data transfers.
First, the Commission only shared the new SCCs in one, long PDF document... They later added a Word version, but it's still all-in-one. Fortunately, we have more awesome people in our community to helps us.
A special thanks goes to Christopher Schmidt, who not only shares his redline versions of EDPB documents (almost before they've published their final versions!), but also made (probably) the world's first SCC generator.
There are now several other generators out there, but none other I have tried myself. Please share if you think other resources deserve a spot here.
Which module(s) to choose? 🤯
You might not find it straightforward to understand the new structure of the SCCs with four modules and various voluntary clauses. Then this overview from Walder Wyss attorneys, can be helpful: Overview SCCs constellations. Here is a preview of the 5 first scenarios:
Other useful resources
- 🎙 Grumpy GDPR podcast episode Standard Confusing Clauses
- Article What are EU standard contractual clauses (SCCs)
Microsoft and Google DPIAs and (D)TIAs
We're fortunate enough to have some really pro-active public sector people who started to address transfer challenges early on, especially from the Dutch government. They have not only put down extensive work in DPIAs and (D)TIAs, but have also shared this publically, including for:
- Data Transfer Impact Assessment on Microsoft Teams, OneDrive and Sharepoint
- DPIA Microsoft Teams, SharePoint and OneDrive online
- DPIA Office 365 for the Web and mobile apps
- DPIA Office 365 ProPlus
- DPIA Windows 10 Enterprise
- DPIA Diagnostic data processing in Microsoft Office ProPlus
- DPIA Microsoft Intune
- DPIA G Suite Enterprise and Google Workspace
PS: Got to love their slogan: "Head in the cloud, feet on the ground!"
#Bigtech processors own responses
Finally, some whitepapers and links that could contribute to your understanding of the new SCCs and which are definitely relevant if you use any of these as a sub-processor.
- AWS blog on new SCCs and their whitepaper on data transfers.
- Google Cloud whitepaper Approach to the new SCCs.
- Google Cloud whitepaper Safeguards for international data transfers.
- Microsoft, as usual, only manages to confuse more than clarify, so I won't add any links to their incomprehensible maze of terms, DPAs etc. to avoid you getting more grey hair than necessary.