New standard contractual clauses for data transfers between EU and non-EU countries and how it affects your business

As of September 27th, 2021, companies and organisations relying on Standard Contractual Clauses (SCCs) to transfers personal data outside the EU/EAA must use the new set of Standard Contractual Clauses (2021 SCCs) for all new contracts.

Background

All companies that transfer personal data outside the EU/EAA must ensure that the level of protection of natural persons guaranteed by the General Data Protection Regulation (GDPR) is not undermined. This means that unless a country outside the EU/EAA is subject to an adequacy decision by the European Commission, personal data exporters and importers need to apply a transfer mechanism to lawfully transfer personal outside the EU/EEA.

Following the Schrems II judgement, which invalidated the EU-US Privacy Shield, many companies have relied on SCCs for their personal data transfers. To account for the GDPR and the Schrems II decision, the European Commission issued a new set of Standard Contractual Clauses on June 4th, 2021 stating that all new contracts relying on SCCs must use the 2021 SCCs from September 27th, 2021 onward.

If you want to learn more about Schrems II, please read our summary and breakdown of the judgement here.

What is new?

The 2021 SCCs introduces a modular approach meaning that some provisions are general and applicable to all transfer and others are specific to the applicable module. There are four available modules in the 2021 SCCs covering four different types of transfers: module 1 (controller to controller); module 2, (controller to processor); module 3 (processor to processor); module 4 (processor to controller). In addition to determining the correct module, choices and customisation are necessary for the text contained in the modules.

The 2021 SCCs are designed to address requirements provided in the Schrems II judgement and have added several provisions that regulate the obligations of the contracting parties where public authorities may access the transferred personal data. The 2021 SCCs also includes provisions with regard to assessing the local law of third countries where personal data will be processed and how local government authorities may access personal data in the importing country.

The 2021 SCCs also introduces a docking clause which provides a mechanism enabling multi party agreements. The docking clause is optional to use.

What does this mean?

It is important to remember that the practical implementation of the 2021 SCCs goes beyond contractually implementing the 2021 SCCs.

The contracting parties are required to assess and analyse all relevant aspects of the transfer, including but not limited to the legislation of third countries where personal data will be processed and to apply supplement safeguards (e.g. technical and organisational measures) required to ensure that the protection of natural persons is not undermined. Implementing the 2021 SCCs will require substantial efforts from the contracting parties.

Contracts entered before September 27th, 2021, may rely on the old set of SCCs for another fifteen months, until December 27, 2022. By then all contracts relying on the old SCCs must be replaced with the 2021 SCCs.

If you have questions about the 2021 SCCs or data protection in general, don’t hesitate to reach out to us at contact@synchlaw.se.

News and Insights
Blog Posts

Responsibility of online platforms and the regressive opinion of the Advocate General

08/12/2020

This blog post was written by My Byström, lawyer at Synch A comment on the opinion of the Advocate General in joined cases Youtube (C-682/18) and Cyando (C‑683/18) In December, the CJEU is expected to deliver its judgement in the joined cases Youtube and Cyando, where questions regarding the liability of platforms for user uploaded materials have […]

Press release

Synch assists when a leading IAM player is created

26/11/2021

Synch has assisted SecMaker and its owners in connection with the merger with Pointsharp. The merger creates a leading software provider in identity and access management. Pointsharp, with the support of Main Capital, is on a growth journey to become a leading European supplier in identity and access management. The acquisition of SecMaker is the […]

Press release

Synch has acted as legal advisor for the owners of Ungapped AB

19/11/2021

Synch has acted as legal advisor for the owners of Ungapped AB in the sale of a majority stake of the shares in the company to Finnish Liana Technologies OY. Ungapped is a SaaS company that provides a platform for digital communication with tools for e-mail marketing and surveys, event management and SMS marketing. Ungapped […]

Press release

Synch has acted as legal advisor for the owners of Bogard AB

11/11/2021

Synch has acted as legal advisor for the owners of Bogard AB in the sale of the company to Moody’s Analytics. Bogard covers over 17,000 PEPs, relatives, and close associates across Sweden, Norway, Denmark, and Finland. The company collects, refines, and updates its data using various sources, including tax authorities, business and real estate registries, […]

Press release

SYNCH HAS ADVISED SLITEVIND AB

10/11/2021

Synch has been advising Slitevind AB (“Slitevind”) in the establishment of Eagle Wind JV (“Eagle Wind”), a joint venture owned by Slitevind together with one of Europe’s leading asset managers. The purpose of Eagle Wind will be to build a portfolio of operational wind turbines, and Slitevind will be managing the wind turbines alongside Obligo […]

Press release

Synch agerar legal rådgivare till Brighter i företrädesemission

04/11/2021

Styrelsen för Brighter AB (publ) har annonserat att de kallar till extra bolagsstämma med förslag till företrädesemission av units om cirka 117 miljoner kronor. Synch är legal rådgivare till Brighter i samband med emissionen och Mangold Fondkommission finansiell rådgivare. Brighter är ett healthtech-bolag med aktier som handlas vid Nasdaq First North. Bolaget har bl.a lanserat […]

Blog Posts

New standard contractual clauses for data transfers between EU and non-EU countries and how it affects your business

01/10/2021

As of September 27th, 2021, companies and organisations relying on Standard Contractual Clauses (SCCs) to transfers personal data outside the EU/EAA must use the new set of Standard Contractual Clauses (2021 SCCs) for all new contracts. Background All companies that transfer personal data outside the EU/EAA must ensure that the level of protection of natural […]