On June 4, the European Commission adopted two new sets of Standard Contractual Clauses (SCCs), which are commonly-used tools that legitimize international data transfers to countries that are not deemed to provide an adequate level of protection. The new SCCs include one set for data controllers and processors and another for transferring data to third countries. The new SCCs are aligned with the EU General Data Protection Regulation (GDPR) and the Court of Justice of the European Union's “Schrems II” ruling on international data transfers.
The main innovations of the new SCCs are as follows:
- Aligns SCCs with the GDPR;
- Offers one single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- Provides more flexibility for complex processing chains, through a ‘modular approach' and by offering the possibility for more than two parties to join and use the clauses;
- Creates a practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies must take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures', such as encryption, that companies may take if necessary
The new SCCs will come into effect 20 days after publication in the Official Journal; three previous sets of SCCs will be repealed three months after that date. Organizations may continue using the existing SCCs for the next three months (until September 27, 2021), but then must transition to the new SCCs in the 15 months following the date of their repeal (by December 27, 2022), which essentially creates an 18-month transition window.
Parties should only use the updated SCCs to legitimize transfers of personal data to a data importer located outside of the European Economic Area (EEA) whose processing of the personal data is not subject to the requirements of the GDPR. If the data importer located outside the EEA is subject to the GDPR in that it processes personal data of individuals in the EEA in the provision of goods or services to those individuals or the monitoring of those individuals, then the new SCCs should not be used. This means that organizations transferring personal data outside of the EEA will need to begin the process of ensuring that intra-group agreements and vendor contracts contain the new SCCs.
The Commission noted that the new SCCs also take into consideration the joint opinion of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), feedback from stakeholders, and the opinion of Member States' representatives.
If you have any questions about how these new SCCs affect your organization, please do not hesitate to contact us.