These guidelines are meant to provide an overview regarding the new European Standard Contractual Clauses (SCCs). They are not intended to be a substitute for legal advice. As such, we recommend that you consult your legal counsel before acting on any matter discussed within this alert.
On June 4, 2021, the European Commission published a new, updated version of the European Standard Contractual Clauses (EU SCCS), which take into account the Schrems II judgment of the European Court of Justice and the invalidation of the EU-US Privacy Shield. Part one of this blog post will provide an informational overview of the Standard Contractual Clauses and remind readers of key dates related to the new EU SCCs.
In addition, Atlassian has launched a Data Processing Addendum for Forge, which is a contract that outlines the rights and obligations of each party (in this case, Atlassian and Forge developers) concerning the protection of personal data. Developers who host apps on Atlassian's Forge platform will enter into Atlassian's Forge Data Processing Addendum by accepting the Forge Developer Terms, which includes SCCs with Atlassian. Read on to part two of the blog post for more information and learn how you can review and accept the new terms.
Part One: What are Standard Contractual Clauses?
The standard contractual clauses (EU SCCs) are model contract clauses published by the European Commission that companies can enter into with third parties. The EU SCCs are a tool designed to help companies transfer European Economic Area (EEA) residents’ data out of the EEA in a way that is compliant with the General Data Protection Regulation (GDPR).
Among other things, the new EU SCCs require companies to:
- Provide more detail about about where, when, why and how they handle personal data; and
- Assess whether the laws and practices of the country that data is being transferred to could prevent the receiving party from complying with the SCCs. This assessment is commonly referred to as a data transfer impact assessment (DTIA).
Who should enter into the new EU SCCs?
Any company that: (i) is subject to the GDPR and (ii) transfers personal data relating to EEA residents out of the EEA (e.g. to a third party service provider), has an obligation to use a cross-border data transfer mechanism that is approved under the GDPR.
There are several types of GDPR approved cross-border data transfer mechanisms that may be used – one common mechanism is the SCCs. Other mechanisms include the use of Binding Corporate Rules, or relying on the European Commission's "adequacy" decision for the country to which data is being transferred.
SCCs are a common cross-border data transfer mechanisms used by SaaS companies, but ultimately each company must evaluate whether the use of SCCs is the right choice for the company, or if another cross-border data transfer mechanism should be used.
Note: Developers who host apps on Atlassian's Forge platform will enter into Atlassian's Forge Data Processing Addendum, which includes SCCs with Atlassian. These SCCs govern any cross-border transfers of developers’ (and their customers’) personal data to Atlassian. For more details, see "Introducing the Forge DPA" below.
UK and Swiss SCCs:
Following in the footsteps of the EU, in 2022, the UK published a UK-specific data transfer mechanism that companies can rely on when transferring personal data relating to UK residents outside of the UK.
Similarly, in August 2021, Switzerland's Federal Data Protection and Information Commissioner (the "Swiss Data Protection Authority") announced that EU SCCs may be relied on when transferring personal data relating to Swiss residents out of Switzerland, with necessary amendments made to ensure compliance with Swiss data protection law.
- For the EU:
- December 27, 2022: Companies that still rely on the old version of the EU SCCsfor international data transfers have until December 27, 2022 to update these agreements with the new EU SCCs.
- For the UK:
- March 21, 2024: Companies may still rely on the old version of the EU SCCsfor international data transfers out of the UK until March 21, 2024. After March 21, 2024, those agreements must be updated with the UK-specific data transfer mechanism.
For more information on the EU SCCs please see: https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf
For more information on the UK SCCs please see: International data transfer agreement and guidance
For more information from the Swiss Data Protection Authority please see: Latest News
Part Two: Introducing the Forge Data Processing Agreement
Atlassian has shipped a data processing addendum for Forge developers (the "Forge DPA"). The Forge DPA is incorporated by reference in the Forge Terms, which all Forge developers must comply with in order to use the Forge platform.
A data processing addendum is a contract that outlines the rights and obligations of each party (in this case, Atlassian and Forge developers) concerning the protection of personal data. Under the Forge DPA, Atlassian predominantly acts as a processor of personal data on behalf of Forge developers in connection with the provision of the Forge platform. However, in certain circumstances, Atlassian acts as a controller of personal data (e.g. to comply with applicable laws, to ensure the security of the Forge platform, and to administer Forge services, including the Forge command line interface (CLI)). Please refer to Section 1.2 and Annex 1(B), Part B of the Forge DPA for further information.
The Forge DPA also incorporates the EU Standard Contractual Clauses ("SCCs"), which govern cross-border transfers of developers’ (and their customers’) personal data to Atlassian. The SCCs provide a mechanism to transfer European Economic Area (EEA) residents’ data out of the EEA in a manner that is compliant with the General Data Protection Regulation ("GDPR").
The DPA also includes certain interpretative provisions to ensure that the SCCs apply to transfers of UK and Switzerland residents’ personal data outside of those countries. As a result, the SCCs govern cross-border transfers of developers’ (and their customers’) personal data to Atlassian.
For more information, please see:
- A list of Atlassian's current sub-processors, including sub-processors for the Forge platform
- Atlassian's Data Transfer Impact Assessment page
Please click here to review and accept the new Forge Terms, including the Forge DPA, by December 27, 2022.