The European Commission has adopted new standard contractual clauses

The EU Commission has adopted two sets of standard contractual clauses (SCCs), one for the transfer of personal data to third countries and the other to be used between controllers and processors. The SCCs to be used between controllers and processors are completely new, while those used in the transfer of personal data to third countries will replace the existing clauses.

The SCCs can be used as a basis for data transfers as defined in the General Data Protection Regulation (GDPR) and they impose obligations on data exporters and importers to guarantee an adequate level of data protection. The SCCs were updated in particular to meet the requirements set by the Schrems II judgement issued by the European Court of Justice. The Commission published the first draft of the new SCCs for comments last year and the final version remains very similar to the drafts.

The new SCCs focus on correcting the shortcomings of the existing SCCs. The new clauses allow personal data to be transferred between several different parties and new parties can be added to existing transfer agreements later on. The new clauses also bring important changes related to company liabilities. In the future, companies in a data supply chain will be jointly responsible for protecting personal data. In addition, the new clauses allow individual data subjects to enforce their rights. The new clauses can also be applied by companies established outside the EU.

Overall, the new SCCs significantly increase companies’ responsibility to provide an adequate level of data protection and can consequently require more due diligence work when signing data transfer agreements.

The new standard contractual clauses can be used for transfers:

• from one controller to another,

• from a controller to a processor,

• from one processor to another, or

• from a processor to a controller.

The new SCCs are more in line with the GDPR rules and take into account the new requirements set by the Schrems II judgement. From now on data exporters must, for example, assess the level of data protection in the third country, assess the need for supplementary measures, and ensure sufficient documentation.

The new SCCs also impose stricter obligations on data importers. For example, data importers must inform data exporters if the requirements set by the SCCs cannot be met. Where possible, data importers should also inform both the data exporter and the data subjects if national authorities request access to the personal data. They should also assess the legality of such request and possibly oppose it as well as ensure that the process is documented. With these provisions, the European Commission seeks to ensure that personal data receives adequate protection also outside the EU.

Companies can start using the new SCCs as early as 27 June 2021 (effective date), although this is not mandatory, as companies can utilize a transitional period. The old SCCs can be used when signing new agreements for 3 months after the effective date (until 27 September 2021). At the end of this period, companies will no longer be able to sign new transfer agreements using the old SCCs. All transfer agreements still using the old SCCs should be replaced using the updated SCCs within 18 months of the effective date, meaning 27 December 2022 at the latest.

1. Risk assessment is mandatory: companies must assess the level of personal data protection in a third country even before using the new SCCs.

2. Use of the new SCCs must be fully implemented during next year: companies must prepare to enter into new data transfer agreements and replace the existing ones.

3. In the future, companies must know their partners even more closely: under the new SCCs, companies are jointly responsible for protecting personal data, which requires choosing reliable partners. Companies are also directly responsible for data subjects.

For more information, please see:

Standard contractual clauses for international transfers

Standard contractual clauses for controllers and processors in the EU/EAA