European Commission Published New Standard Contractual Clauses – Next Steps
On 4 June 2021, the European Commission published two sets of standard contractual clauses (SCC), one for use between controllers and processors and one for the transfer of personal data to third countries.
- The new SCCs are aligned with the requirements of the General Data Protection Regulation (GDPR).
- A ‘modular approach’ has been taken, and the new SCCs allows transfers from controller to controller, controller to processor, processor to processor and processor to controller.
- They provide flexibility for complex processing chains by offering the possibility for more than two parties to join with the ‘docking clause’. Although the mechanism remains unclear as this is done ‘with the agreement of the Parties’.
- The Schrems II judgment has been considered by providing an overview of different steps that should be taken and examples of possible ‘supplementary measures’. The new SCCs include warranties as to the accuracy of the parties’ assessment of the laws of the destination country and the protection such laws afford to personal data. Therefore, relevant risk assessment and implementation of appropriate safeguards to supplement the SCCs is necessary.
The new SCCs will come into force 27 June 2021, from which time organisations currently using previous sets of SCCs will have 18 months to update their contractual arrangements. However, for new transfers, the current SCCs may only be used for 3 months following the date the new SCCs come into force.
Data importers and exporters should start preparing for the replacement of the current SCC and planning new transfers to ensure continued compliance with data protection regulation.
- Identify all data transfers under the current SCCs that will continue beyond the transition period.
- Review contractual arrangement for amendment requirements.
- Analyse and get accustomed to the new SCCs.
- Make sure to have planned ahead and allow sufficient time for renegotiating or concluding new contractual arrangements and their implementation.
To our knowledge, the European Data Protection Board is also expected to issue a final version of its recommendations regarding the Schrems II judgment, the draft of which was published in November 2020. This will surely have implications on the practical implementation of international transfers. The recommendations should be carefully reviewed with the new SCCs, and change processes should be planned in light of these new changes.
SCCs are standardised and pre-approved model data protection clauses that can be incorporated into contractual arrangements on a voluntary basis, providing a tool to comply with data protection requirements. The new SCCs take into account the Schrems II judgment of the Court of Justice and retain the principles in the current SCCs, which were the basis for the CJEU’s decision that the SCCs should remain valid.