Lawyer Monthly - November 2021 Edition

agreement. Contrary to earlier practice, there is no need of a separate data processing agreement in addition to the SCC. Hence, there is much more flexibility in how the parties set up the contractual framework to cover their obligations relating to data processing agreements and legal basis for transfer. What other factors related to the SCC should companies be aware of following 27 September? Any new transfer agreements need to be based on the new SCC from 27 September, whereas already executed WWW.LAWYER-MONTHLY.COM | OCT 2021 76 THOUGHT LEADER - THOMAS OLSEN old SCC must be replaced with new SCC before 27 December 2022. Many of the major cloud providers have already rolled out new data processing terms which incorporate the relevant modules of the new SCC. If the customer is not in a position to negotiate, the customer is nevertheless advised to review and assess whether the new conditions are adequate before accepting. From a compliance perspective, the customer will often be better off by accepting the updated contractual framework. However, we see that where the parties have spent time negotiating the existing data processing terms, replacing the terms with the new SCC could trigger many of the lengthy discussions relating to liability and allocation of risk and costs which took the parties weeks or even months to negotiate in the past. Are there any other significant areas of data transfer regulation that have yet to be clarified by the EDPB or other relevant European bodies? The GDPR transfer rules, the Schrems II ruling, and the EDPB recommendation all focus on the situation where personal data is being transferred from a data exporter to a data importer, i.e. processed in a third country or accessed by personnel in a third country. However, little light has been shed on the requirements in the common situation where an EEA customer has agreed with a cloud provider that all storage and processing shall take place in the EEA. Arguably, this situation is clearly outside the transfer rules and the Schrems II requirements since there is no transfer of personal data. However, if the cloud provider is subject to third country surveillance laws it could equally be argued that the data is exposed to some of the same risk as if the data were transferred to a third country. The Norwegian supervisory authority has stated that while the transfer rules do not apply, the authority recalls the general