Recorded August 3, 2021

Standardizing data processing agreements globallyA webinar for providers of information technology services and products, and their customers

Presenters

Lothar

DetermannPartner, Palo Alto

(Moderator)

Helena

EngfeldtPartner, San Francisco

Michaela

NebelPartner, Frankfurt

Flávia

RebelloPartner, São Paulo*

Kensaku

TakasePartner, Tokyo

* In cooperation with Trench, Rossi and Watanabe Advogados

Agenda1 The New EU Standard

Contractual Clauses: How to

Prepare

2 CCPA/CPRA, HIPAA, PCI,

Nevada, Virginia, Colorado

3 Brazil and the Americas

4 Japan and APAC

5 Global approach to

documentation

SCCs, processor instructions, adequacy assessments, response to requests

1

Overview

GDPR

Context

Predecessor

versions

Modules

a b c

European commission: New standard contractual clauses

"Extra-EU SCCs"/"Art. 46

SCCs"/Commission Decision

2021/914

“Intra-EU SCCs”/”Art. 28

SCCs”/Commission Decision

2021/915

Set out appropriate safeguards

pursuant to Art. 46 GDPR

Module C2P and P2P constitute

clauses pursuant to Art. 28 (7) GDPR

because they set out the rights and

obligations of controllers and

processors pursuant to Art. 28 (3) and

(4) GDPR

Fulfil the requirements for contracts

between controllers and processors in

Article 28(3) and (4) GDPR

Timeline

Publication of the new

SCCs in the Official

Journal of the EU

June 7, 2021

Only the new SCCs can

be concluded

September 27, 2021

The old SCCs do no

longer provide appropriate

safeguards

All old contracts and

new contracts must be

based on the new SCCs

December 28, 2022

June 27, 2021The new SCCs

entered into force

3-month "transition

period"

The old SCCs as

well as the new

SCCs can be

concluded

December 27, 2022Until then the old SCCs are

deemed to provide

appropriate safeguards,

provided that:

processing activities

remain unchanged, and

the transfer is subject to

appropriate safeguards

(see Schrems II).

Extended scope

Cloud Provider /

Auftragsverarbeiter

SubauftragsverarbeiterSubauftrags-

verarbeiter

Konzernmutter

Konzern-

gesellschaften

C2P SCCs

P2P SCCs

C2C SCCs

P2C SCCs

P2P SCCs

C2P SCCs

Parent Company

Affiliated

Companies

Sub-

processor

Sub-processor

Cloud Provider /

Processor

1. Modul ("C2C") 2. Modul ("C2P")

3. Modul ("P2P") 4. Modul ("P2C")

Controller Controller Controller Processor

Processor Processor Processor Controller

Threshold questions

When use int'l and

processor SCC?a Alternatives:b

i. Custom corporate

agreements

ii. Contracts with individuals

iii. Consent

iv. BCRs

Selection of open questions

Relation to Art. 28

GDPR contracts?

Does the effect of the SCCs

disappear if the SCCs differ

from the provisions of Art. 28

GDPR?

"One size fits all"

solution?

May the extra-EU SCCs also

be used for intra-EU

transfers?

Drafting?

Can parties sign off on only

one SCC document if multiple

modules apply?

Recital 7

Applicability only if the data

importer is not subject to the

GDPR?

Implementation process

a

b

c

d

e

Vendors

Intragroup

Customers

New vendors v.

existing vendors

Reactive v.

proactive

Align with

requirements for

other jurisdictions

Prepare for

updates

Implementation details

Completely

separate,

annexed, or

integrated in

commercial

agreements?

a

Hierarchy

and

modifications,

particularly

limitations of

liability

b

Multi-module

or separate

agreements?

c

Options in

modules:

processor

authorization,

choice of law

d

Annexes

e

Related requirements

Instructions Schrems 2

assessments

Subprocessor

list

a b c

Transfer impact assessment

Schrems II decision of the Court of Justice of the European Union, July 16, 2020

Art. 14 lit. b to lit. d of the new SCCs require to carry out and to document a Transfer

Impact Assessment and to make it available to the competent supervisory authority

on request

Recommendations 01/2020 on measures that supplement transfer tools to ensure

compliance with the EU level of protection of personal data of the European Data

Protection Board, final version dated June 18, 2021

Example Germany: Coordinated audit of international data transfers

Several data protection authorities in Germany reach(ed) out to "selected companies"

(without specifying them, e.g. their industry) via a questionnaire/questionnaires

Goal: Broad enforcement of the requirements of the Court of Justice of the European

Union in its Schrems II decision.

Questionnaires cover the following topics: Mailhosting, Websitehosting, Webtracking,

Applicant portals and intra-group data transfers

"If you have signed SCCs, have you done a thorough assessment (with the

recipients) of the legal system of the third country?"

"If you have concluded that the recipient can in fact guarantee compliance with

the contractual obligations under the SCCs: Please describe in detail your

reasons for this conclusion and provide appropriate evidence."

CCPA/CPRA, HIPAA, PCI, Nevada, Virginia, Colorado

2

Source:

https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Map.pdf

https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law.pdf

Name of Law or Standard Who law/standard applies to?

Are data processing/transfer terms

statutorily required? *Data security

terms are required under various laws

CCPA/CPRA (California) Entities that do business in CA and exceed one of three thresholds or

if parent/sub of an entity that meets requirements and the two use a

common brand (most companies worldwide)

No, but particular terms unique to CCPA

required for service provider/contractor

characterization.

Colorado Privacy Act Those who target CO residents and processes PI of 100K (true)

consumers or derives revenues/discount from sale of PI and

processes PI of 25K consumers (many B2C companies)

Yes, similar to Art. 28 GDPR.

Virginia Consumer Data

Protection Act

Those who target VA residents and processes PI of 100K (true)

consumers or derives 50% of revenues from sale of PI and processes

PI of 25K consumers (many B2C companies)

Yes, similar to Art. 28 GDPR.

Nevada's Senate Bill 220 Operators with some nexus to Nevada (e.g. commercial website

accessed by Nevada residents)

No, but terms can be beneficial to

document that PI is not sold.

HIPAA (US federal) Covered entities, Business Associates (e.g. healthcare providers and

their service providers)

Yes, particular terms unique to HIPAA are

required.

GLBA (US federal) Banks and other financial institutions Yes, (non prescriptive) confidentiality

terms required

PCI (standards, apply

globally)

Entities that store, process, and/or transmit cardholder data (e.g.

financial institutions and companies accepting credit cards for

payment)

No, but will be contractually required

through demands from card companies.

Brazil and the Americas

3

Adequacy

decision

Binding

corporate

rules

Brazilian

Model

clauses

Code of

Conduct or

Certification

International

Cooperation

Protect life

or physical

integrity of

data subject

Specific

consent

Contract

with data

subject,

legal

obligation or

enforcement

of rights

Brazil – LGPD transfer mechanisms

Brazil – LGPD transfer mechanisms

Uncertainty – All transfer mechanisms depend on

regulation to be issued by Brazilian Data Protection

Authority (ANPD), which are scheduled to be issued

only in the first semester of 2022.

ANPD indicated (informally) that it will regulate SCCs

first as they are easier and less burdensome. One of

the ANPD members indicated that the new EU SCCs

are too complex for Brazil, and that the authority will

aim for simpler clauses closer to the New Zealand or

Singapore models.

Regulations are different –

LatAm

Argentina – International data transfers are prohibited unless to countries with

adequacy decision (EEA ok, US not OK), or if the transfer relies on Argentinean

model clauses. EU SCCs are acceptable

Chile – no specific requirements

Colombia – International data transfers are prohibited, unless to countries with

adequacy decision (US and EEA OK), upon express consent of data subject, if

necessary for performance a contract with data subject or for public interest. When the

transfer takes place between a controller and a processor or between two processors

that follow the same privacy policy, it is called transmission. In any case all

transfers/transmissions need to be documented in a data sharing agreement

LatAm

Mexico – International data transfers must be consented by data subject in the Privacy

Notice, or will be allowed if it is an intra-group transfer, necessary for performance of a

contract with data subject, for compliance with legal obligation, enforcement of rights or

for public interest

Peru – International data transfers are allowed to countries with adequate levels of

protection (no list of safe countries has been yet issued), or by a written contract that

will guarantee the same level of protection. Express consent of data subject required,

except if necessary for performing a contract with data subject or public interest. EU

SCCs are acceptable

Uruguay – International data transfers are allowed for legitimate purposes or upon

consent of the data subject, and transfers are permitted to countries with an adequate

level of protection, or with contractual clauses that guarantee protection. EU SCCs are

acceptable. Intercompany transfers can rely on BCRs or Codes of Conducts registered

with the Authority

Japan and APAC

4

Japan

Data transfer agreements in APAC

Country Require SCC like agreement? Official templates like SCCs? Expressed support of SCC use?

Singapore No No Yes, with amendments

Australia No No No

Hong Kong No No No

Malaysia No No No

China Yes Yes, soon to come No way

Philippines Yes No No

South Korea No No No

New Zealand No No (model template only) No

EU and Japan mutual adequacy decision on January 23, 2019.

BUT transfers of personal data from EEA to Japan under the Adequacy Decision must also comply

with Supplementary Rules.

Global approach to documentation

5

Global approach to documentation

Unilateral standards to meet or exceed common

theme requirements

Vendor onboarding process to default to include

standards, SCCs, and HIPAA BAA unless company can

confirm particular requirements are not triggered

Infosec review for new vendors

Impact assessment for new vendors

Baker & McKenzie LLP is a member firm of Baker & McKenzie International, a global law firm with member law firms

around the world. In accordance with the common terminology used in professional service organisations, reference to a

"partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an

office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results

do not guarantee a similar outcome.

© 2021 Baker & McKenzie LLP

bakermckenzie.com