New standard contractual clauses for data transfers between EU and non-EU countries and how it affects your business
As of September 27th, 2021, companies and organisations relying on Standard Contractual Clauses (SCCs) to transfers personal data outside the EU/EAA must use the new set of Standard Contractual Clauses (2021 SCCs) for all new contracts.
All companies that transfer personal data outside the EU/EAA must ensure that the level of protection of natural persons guaranteed by the General Data Protection Regulation (GDPR) is not undermined. This means that unless a country outside the EU/EAA is subject to an adequacy decision by the European Commission, personal data exporters and importers need to apply a transfer mechanism to lawfully transfer personal outside the EU/EEA.
Following the Schrems II judgement, which invalidated the EU-US Privacy Shield, many companies have relied on SCCs for their personal data transfers. To account for the GDPR and the Schrems II decision, the European Commission issued a new set of Standard Contractual Clauses on June 4th, 2021 stating that all new contracts relying on SCCs must use the 2021 SCCs from September 27th, 2021 onward.
If you want to learn more about Schrems II, please read our summary and breakdown of the judgement here.
What is new?
The 2021 SCCs introduces a modular approach meaning that some provisions are general and applicable to all transfer and others are specific to the applicable module. There are four available modules in the 2021 SCCs covering four different types of transfers: module 1 (controller to controller); module 2, (controller to processor); module 3 (processor to processor); module 4 (processor to controller). In addition to determining the correct module, choices and customisation are necessary for the text contained in the modules.
The 2021 SCCs are designed to address requirements provided in the Schrems II judgement and have added several provisions that regulate the obligations of the contracting parties where public authorities may access the transferred personal data. The 2021 SCCs also includes provisions with regard to assessing the local law of third countries where personal data will be processed and how local government authorities may access personal data in the importing country.
The 2021 SCCs also introduces a docking clause which provides a mechanism enabling multi party agreements. The docking clause is optional to use.
What does this mean?
It is important to remember that the practical implementation of the 2021 SCCs goes beyond contractually implementing the 2021 SCCs.
The contracting parties are required to assess and analyse all relevant aspects of the transfer, including but not limited to the legislation of third countries where personal data will be processed and to apply supplement safeguards (e.g. technical and organisational measures) required to ensure that the protection of natural persons is not undermined. Implementing the 2021 SCCs will require substantial efforts from the contracting parties.
Contracts entered before September 27th, 2021, may rely on the old set of SCCs for another fifteen months, until December 27, 2022. By then all contracts relying on the old SCCs must be replaced with the 2021 SCCs.
If you have questions about the 2021 SCCs or data protection in general, don’t hesitate to reach out to us at email@example.com.