Schrems II – SCCs | FIS

On 16 July 2020, the CJEU handed down its judgment in the Schrems II case that has a major impact on international data transfers. CJEU examined whether two data transfer mechanisms – i.e. standard contractual clauses (“SCCs”) and the EU-US Privacy Shield – adequately protect EU personal data transferred to countries outside of the European Economic Area (“EEA”) that are not considered to ensure an adequate level of protection. CJEU invalidated the EU-US Privacy Shield while maintaining the validity of existing SCCs but required companies to conduct a detailed assessment of all circumstances of the transfer and implement additional safeguards as needed before using them.

The Schrems II Judgment is a historic court decision that has significant impact on any company handling and transferring EU personal data, regardless of whether they are based in the EU or not. Companies are expected to take on increased responsibility to protect EU personal data when transferred abroad and are subject to heightened scrutiny from EU privacy supervisory authorities and consumer organizations.

In June 2021, the European Commission adopted new Standard Contractual Clauses (SCCs) that take into account the Schrems II Judgement of the Court of Justice. The new SCCs provide more flexibility for complex processing chains, through a ‘modular approach”. The SCCs also include a practical toolbox to comply with the Schrems II Judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II Judgment as well as examples of possible ‘supplementary measures', such as encryption, that companies may take if necessary.

In addition, the European Data Protection Board issued recommendations on “supplementary measures” that companies can implement, in addition to the SCCs, to safeguard the processing the personal data in accordance with the GDPR.

FIS has updated its Data Processing Addendum to include the new SCCs as well as ‘supplementary measures’.

Yes. FIS relies on the SCCs to transfer EU personal data to its affiliates (in the form of intragroup data transfer arrangements) and to its partners and vendors located outside the EEA including the US.

In addition, FIS follows the EDPB guidelines on international transfers and takes appropriate actions to mitigate any privacy risks arising as a result of the Schrems II Judgment.

FIS understands that the clients are also taking supplementary measures as a result of Schrems II and to assist with their transfer impact assessment. FIS has prepared a Due Diligence Packet for its Clients that provides summary responses to key topics clients require as part of their ongoing risk management and compliance programs. Clients can write to GDPR@fisglobal.com to obtain a copy of the packet addressing inquiries raised due to Schrems II Judgement. To facilitate the process, please remember to include
(i) your regular FIS contact such as relationship manager (if you have one);
(ii) FIS product/service provided to you; and
(iii) FIS contracting entity.

FIS will be updating its client contracts to incorporate the new SCCs, where applicable, in accordance with the required deadlines. If you are an existing client and the new SCCs apply to you, FIS will be in touch shortly with the required new DPA.

FIS relies on the SCCs to transfer EU personal data to partners and vendors located outside of the EEA. Updated FIS vendor data privacy agreements with new EEA SCCs are available for use. FIS will be updating its existing partner/vendor contracts to incorporate the new SCCS, where applicable, in accordance with the required deadlines.

FIS has a long-standing commitment to data privacy and information security.

FIS understands and agrees with the principles of the GDPR and all relevant data privacy laws that people have the right to understand how their personal data is handled and they should have control over their data. FIS will continue monitoring regulatory guidance and take necessary actions as a result of the Schrems II Judgement and the new SCCs.