INTL-03

Will you sign appropriate GDPR Standard Contractual Clauses (SCCs) with the institution?

Explanation

This question is asking whether your company is willing to sign Standard Contractual Clauses (SCCs) to comply with the EU's General Data Protection Regulation (GDPR) when transferring personal data outside the European Economic Area (EEA). What it means: Standard Contractual Clauses are pre-approved contractual terms and conditions that both data exporters (the institution) and data importers (your company) sign to ensure that personal data transferred outside the EEA receives adequate protection in line with GDPR requirements. SCCs are a legal mechanism to make cross-border data transfers compliant with GDPR. Why it's being asked: This question appears in security assessments because: 1. If your service processes EU citizens' data and stores or processes it outside the EEA, there must be a legal mechanism in place for this transfer 2. After the invalidation of the EU-US Privacy Shield in 2020 (Schrems II decision), SCCs became even more important as a transfer mechanism 3. Institutions need to ensure their vendors are willing to commit to these legal protections to avoid potential GDPR violations and fines 4. The institution has a legal obligation to ensure appropriate safeguards are in place when transferring data internationally How to best answer it: You should indicate whether your company is willing to sign SCCs. If you are, state this clearly. If you have already implemented SCCs with other clients, mention this. If you don't transfer data outside the EEA or don't process EU personal data at all, explain this context. If you use alternative compliance mechanisms (like Binding Corporate Rules), explain those instead. Be specific about your company's approach to GDPR compliance regarding international data transfers.

Guidance

See GDPR Chapter 5, Art. 46, for SCC information.

Example Responses

Example Response 1

Yes, our company is fully prepared to sign the appropriate GDPR Standard Contractual Clauses (SCCs) with your institution We have already implemented the updated 2021 EU Commission SCCs with several of our European clients Our legal and compliance teams are familiar with these requirements and can work with your institution to execute the appropriate modules based on our controller-processor relationship We understand the importance of maintaining adequate safeguards for international data transfers following the Schrems II decision and have conducted transfer impact assessments for countries where we process data.

Example Response 2

Yes, we will sign appropriate GDPR Standard Contractual Clauses with your institution While our primary data centers are located within the EEA (specifically in Germany and Ireland), we do utilize support staff in the United States and India who may occasionally access EU personal data for troubleshooting purposes We have already incorporated the latest SCCs into our standard data processing agreements and can provide these for review Additionally, we have implemented supplementary technical measures including encryption in transit and at rest, strict access controls, and comprehensive staff training on data protection to address concerns raised by the Schrems II decision.

Example Response 3

No, we are currently unable to sign the GDPR Standard Contractual Clauses as requested Our legal team is still evaluating the implications of the updated 2021 SCCs on our business operations and data flows We do process data for EU citizens in our US-based data centers, and we previously relied on the Privacy Shield framework We are working to develop a compliance strategy following the Schrems II decision and expect to have a solution within the next 3-4 months In the interim, we can discuss alternative temporary arrangements or limitations on data processing if needed for your institution We understand this is a significant compliance requirement and are actively working toward a solution.

Context

Tab: Privacy
Category: International Privacy