- The entity is NOT a critical information infrastructure operator.
- The entity processes the personal data of fewer than 1 million individuals.
- The entity has transferred personal data of fewer than 100,000 individuals on a cumulative basis since January 1 of the previous year.
- The entity has transferred sensitive personal data of fewer than 10,000 individuals on a cumulative basis since January 1 of the previous year.
*Notably, the Draft Provisions also require the data exporter to file the executed contract with the provincial branch of the CAC within 10 days after the contract goes into effect along with a personal information protection impact assessment that must be prepared before the transfer.
Yes. The EU SCCs feature four separate modules that govern the transfer of personal data between entities based on each party’s data processing/exporting role.
Module One: controller to controller transfers
Module Two: controller to processor transfers
Module Three: processor to processor transfers
Module Four: processor to controller transfers.
Thus, the EU SCCs modular approach requires entities to pay close attention to (i) all potential processing roles a party may have under a transaction (e.g., data controller or data processor) and (ii) examine how data flows. Under the EU SCCs, certain agreements can call for the need of various modules to be in place to permit the transfer of data outside the EEA.
- Legitimate Purpose. There are real and legitimate business needs to provide personal data.
- Data Subject Consent. The overseas recipient has informed the data subjects about the third-party recipient, and separate consent has been obtained.
- Data Processing Agreement Requirement. The overseas recipient has entered into a written agreement with the third party to implement the same level of personal data protection.
- Proof of DPA. The overseas recipient has provided the data exporter with a copy of the agreement.
Effective: September 27, 2021
Grace Period: Organizations can no longer enter into the “old” EU SCCs (the cut off was September 27, 2021) but can rely on the “old” EU SCCs entered into before that date until December 27 2022.
Effective: March 21, 2022.
Grace Period: Organizations may enter into the “old” EU SCCs (with UK edits), on or before September 21, 2022. Transfers using the “old” EU SCCs will be valid until March 21, 2024 assuming that the processing operations under the agreement remain unchanged during that time.
Not in Effect.
Public Comment on the Draft Provision ended on July 29, 2022.