The European Commission adopted new Standard Contractual Clauses (“SCCs“) on 4 June 2021. The SCCs can be used under the General Data Protection Regulation (GDPR) as a safeguard for transfers of personal data to recipients in countries outside the European Economic Area if the European Commission has not adopted an adequacy decision.
The new SCCs have been updated to align with the GDPR, offering more flexibility for complex processing chains. They include a practical toolbox to help companies comply with the CJEU’s Schrems II judgment, such as examples of possible ‘supplementary’ measures.
The new SCCs come into effect on 27 June 2021, 20 days after its publication on 7 June 2021 in the Official Journal of the EU. Companies which currently use a previous SCC version as a safeguard for international data transfers are required to implement the new SCCs by 27 December 2022.
THE NEW SCCS – KEY DIFFERENCES
The new SCCs differ on several aspects from the old SCCs. The new SCCs reflect the technological and legal developments after the Schrems II decision. Consequently, the new SCCs are better suited to transfer data of modern large-scale processing chains and impose further obligations on controllers and processors in the EU and abroad.
The new SCCs have a ‘modular’ structure, meaning that the model comprises of a modular set of clauses for each of:
- Controller-to-controller transfers (Module 1)
- Controller-to-processor transfers (Module 2)
- Processor-to-processor transfers (Module 3)
- Processor-to-controller transfers (Module 4).
Parties exporting personal data can choose the applicable module related to their exports’ nature and only use the according clauses specific to that module.
Multilateral possibilities and docking clauses
The prior SCCs were bilateral and no longer appropriate for modern large-scale (intra-group) processing chains. The new SCCs allow multiple exporting parties to sign the contract instead. Additionally, the new SCCs also contain ‘docking clauses’, enabling new parties to be added to the contract over time.
The old SCCs required the data exporter to be a party established in the EU. Consequently, the old SCCs did not apply to data controllers which reside outside the EU but fall under the GDPR as they process personal data of data subjects residing in the EU (the GDPR’s extraterritorial applicability).
The new SCCs stipulate that the data exporter can be a non-EU entity and consequently be used for non-EU exporters to transfer data to another non-EU party.
Safeguards on protection level
The parties warrant that by executing the SCCs, they have no reason to believe that the laws and practices applied will prevent the data importer from fulfilling its SCCs’ commitments. These provisions are a direct response to the CJEUs Schrems II decision where the CJEU ruled that exporters need to assess whether the national and international laws of the destination may intervene with the fundamental rights laid down in the GDPR.
In order to do so, parties have to undertake a thorough assessment and, if necessary, introduce appropriate measures to assure GDPR compliance. The assessment must be documented and include the transfer’s specific circumstances, considering the destination’s local laws. These appropriate measures may establish contractual, technical or organisational safeguards. Parties must make the assessment available to the competent data protection authorities upon request.
The SCCs’ Annex III describes technical and organisational measures the parties can implement to ensure the security of the data. Such measures include encryption, regular testing, logging, continuity measures and certification.
The new SCCs allow the old SCCs to continue to be used for new data transfers over a three-month transition period. The old SCCs can nevertheless continue to be used for existing data transfers for up to 18 months.
Next steps and timing
Companies which have implemented an arrangement for data transfers to recipients outside the EEA based on old SCCs are required to review this arrangement and implement the new SCCs before 27 December 2022. In particular, companies need to pay attention to the abovementioned modular structure of the SCCs and include the wording applicable to the character of their specific data transfers. For new data transfers to recipients outside the EEA after 27 September 2021, companies should use the new SCCs as a basis.
- Thomas de Weerd | firstname.lastname@example.org
- Jurre Reus | email@example.com
- Godart van Ekeren | firstname.lastname@example.org
Compliments of Houthoff – a member of the EACCNY.