Schrems II – SCCs | FIS

On 16 July 2020, the CJEU handed down its judgment in the Schrems II case that has a major impact on international data transfers. CJEU examined whether two data transfer mechanisms – i.e. the existing standard contractual clauses (“SCCs”) and the EU-US Privacy Shield – adequately protect EU personal data transferred to countries outside of the European Economic Area (“EEA”) that are not considered to ensure an adequate level of protection. CJEU invalidated the EU-US Privacy Shield while maintaining the validity of existing SCCs but required companies to conduct a detailed transfer impact assessment (“TIA”) of all circumstances of the transfer and implement additional safeguards as needed before using them.

The Schrems II Judgment is a historic court decision that has significant impact on any company handling and transferring EU personal data, regardless of whether they are based in the EU or not. Companies are expected to take on increased responsibility to protect EU personal data when transferred abroad and are subject to heightened scrutiny from EU privacy supervisory authorities and consumer organizations.

The EU Commission (“EU com”) has implemented new EEA SCCs as from 27 June 2021 so firms can voluntarily start using the new EEA SCCs from this date.

Transition Period given: There is a grace period for using the existing/older form of EEA SCCs. Parties can continue signing the existing SCCs until 27 September 2021, thereafter, no new contracts can be signed using the existing SCCs.

Remediation Period given for existing contracts: Parties are given until 27 December 2022 (or when the underlying processing operations of the relevant EU personal data changes, if earlier) to replace existing EEA SCCs with the new EEA SCCs.

FIS notes that the UK are currently relying on the existing SCCs but will update the UK SCCs in due course (currently under consultation).

Yes. FIS relies on the SCCs to transfer EU personal data to its affiliates (in the form of intragroup data transfer arrangements) and to its partners and vendors located outside the EEA including the US.

In addition, FIS follows the EDPB guidelines on international transfers and takes appropriate actions to mitigate any privacy risks arising as a result of the Schrems II Judgment.

FIS understands that the clients are also taking supplementary measures as a result of Schrems II and to assist with their transfer impact assessment. Clients can write to GDPR@fisglobal.com to obtain a copy of the FIS Schrems II Checklist addressing enquiries raised due to Schrems II Judgement. To facilitate the process, please remember to include (i) your regular FIS contact such as relationship manager (if you have one); (ii) FIS product/service provides you; and (iii) FIS contracting entity.

FIS will be updating its client contracts to incorporate the new SCCS, where applicable, in accordance with the required deadlines. If you are an existing client and the new SCCs apply to you, FIS will be in touch shortly with the required amendment. In addition, as part of our robust commitment to data privacy globally, FIS has imposed key GDPR terms as from 2018 where GDPR is applicable.

FIS relies on the SCCs to transfer EU personal data to partners and vendors located outside of the EEA. Updated FIS vendor data privacy agreements with new EEA SCCs are available for use. FIS will be updating its existing partner/vendor contracts to incorporate the new SCCS, where applicable, in accordance with the required deadlines.

In addition, as part of our robust commitment to data privacy globally, FIS has imposed key GDPR terms to the majority of our non-EEA vendors and where applicable.

FIS has a long-standing commitment to data privacy and information security.

FIS understands and agrees with the principles of the GDPR and all relevant data privacy laws that people have the right to understand how their personal data is handled and they should have control over their data. FIS will continue monitoring regulatory guidance and take necessary actions as a result of the Schrems II Judgement and the new EEA SCCs (and the UK SCCs when they are formally issued).