The new SCCs focus on correcting the shortcomings of the existing SCCs. The new clauses allow personal data to be transferred between several different parties and new parties can be added to existing transfer agreements later on. The new clauses also bring important changes related to company liabilities. In the future, companies in a data supply chain will be jointly responsible for protecting personal data. In addition, the new clauses allow individual data subjects to enforce their rights. The new clauses can also be applied by companies established outside the EU.
Overall, the new SCCs significantly increase companies’ responsibility to provide an adequate level of data protection and can consequently require more due diligence work when signing data transfer agreements.
The new standard contractual clauses can be used for transfers:
from one controller to another,
from a controller to a processor,
from one processor to another, or
from a processor to a controller.
The new SCCs are more in line with the GDPR rules and take into account the new requirements set by the Schrems II judgement. From now on data exporters must, for example, assess the level of data protection in the third country, assess the need for supplementary measures, and ensure sufficient documentation.
The new SCCs also impose stricter obligations on data importers. For example, data importers must inform data exporters if the requirements set by the SCCs cannot be met. Where possible, data importers should also inform both the data exporter and the data subjects if national authorities request access to the personal data. They should also assess the legality of such request and possibly oppose it as well as ensure that the process is documented. With these provisions, the European Commission seeks to ensure that personal data receives adequate protection also outside the EU.