Schrems II – SCCs | FIS

Introduction

This set of FAQs highlights the key topics addressed in the Schrems II judgment (the “Schrems II Judgment”) from the Court of Justice of the European Union (“CJEU”) to help our clients, partners and vendors understand our approach to the Schrems II Judgment.

This content presents a general overview of the Schrems II judgment and does not provide legal advice. It is imperative you seek independent legal advice to discuss the requirements applicable to your specific circumstances.

What is the Schrems II Judgment?

+

On 16 July 2020, the CJEU handed down its judgment in the Schrems II case that has a major impact on international data transfers. CJEU examined whether two data transfer mechanisms – i.e. the existing standard contractual clauses (“SCCs”) and the EU-US Privacy Shield – adequately protect EU personal data transferred to countries outside of the European Economic Area (“EEA”) that are not considered to ensure an adequate level of protection. CJEU invalidated the EU-US Privacy Shield while maintaining the validity of existing SCCs but required companies to conduct a detailed transfer impact assessment (“TIA”) of all circumstances of the transfer and implement additional safeguards as needed before using them.

What is the significance of the Schrems II Judgement?

+

The Schrems II Judgment is a historic court decision that has significant impact on any company handling and transferring EU personal data, regardless of whether they are based in the EU or not. Companies are expected to take on increased responsibility to protect EU personal data when transferred abroad and are subject to heightened scrutiny from EU privacy supervisory authorities and consumer organizations.

What is a direct consequence of Schrems II judgement?

+

The EU Commission (“EU com”) has implemented new SCCs as from 27 June 2021 so firms can voluntarily start using the new SCCs from this date.

Transition Period given: There is a grace period for using the existing/older form of SCCs. Parties can continue signing the existing SCCs for a further 3 months: but after 27 September 2021 no new contracts can be signed using the existing SCCs.

Remediation Period given for existing contracts: Parties are given until 27 December 2022 (or when the underlying processing operations of the relevant EU personal data changes, if earlier) to replace existing SCCs with the new SCCs.

Can FIS continue to transfer EU personal data to Third Countries outside the EEA including US?

+

Yes. FIS relies on the SCCs to transfer EU personal data to its affiliates (in the form of intragroup data transfer arrangements) and to its partners and vendors located outside the EEA including the US.

In addition, FIS follows the EDPB guidelines on international transfers and takes appropriate actions to mitigate any privacy risks arising as a result of the Schrems II Judgment.

What steps FIS will take to support its clients?

+

FIS understands that the clients are also taking supplementary measures as a result of Schrems II and to assist with their transfer impact assessment. Clients can write to GDPR@fisglobal.com to obtain a copy of the FIS Schrems II Checklist addressing enquiries raised due to Schrems II Judgement. To facilitate the process, please remember to include (i) your regular FIS contact such as relationship manager (if you have one); (ii) FIS product/service provides you; and (iii) FIS contracting entity.

FIS will be updating its client contracts to incorporate the new SCCS, where applicable, in accordance with the required deadlines. If you are an existing client and the new SCCs apply to you, FIS will be in touch shortly with the required amendment. In addition, as part of our robust commitment to data privacy globally, FIS has imposed key GDPR terms as from 2018 where GDPR is applicable.

What steps FIS will take with its partners and vendors located outside of the EEA?

+

FIS relies on the SCCs to transfer EU personal data to partners and vendors located outside of the EEA. FIS are updating its partner/vendor contracts to incorporate the new SCCS, where applicable, in accordance with the required deadlines.

In addition, as part of our robust commitment to data privacy globally, FIS has imposed key GDPR terms to the majority of our non-EEA vendors and where applicable.

What is FIS’ approach to the GDPR and Schrems II?

+

FIS has a long-standing commitment to data privacy and information security.

FIS understands and agrees with the principles of the GDPR and all relevant data privacy laws that people have the right to understand how their personal data is handled and they should have control over their data. FIS will continue monitoring regulatory guidance and take necessary actions as a result of the Schrems II Judgement and the new SCCs.