Data protection update: The new Standard Contractual Clauses – Key dates to note

Since 27 September 2021 organisations must implement the new Standard Contractual Clauses, adopted by the European Commission, when entering into new contracts which involve a cross-border transfer of personal data outside of the EEA.

  • Since the reformulation of Standard Contractual Clauses (SCCs) adopted by the European Commission, and published in the Official Journal on 7 June 2021, organisations must be mindful of the actions they need to take in respect of their contracts, from a data protection standpoint.
  • In short, SCCs are a set of standard contractual terms approved by the European Commission for cross-border transfers of personal data where those transfers involve the sending of data to a country outside of the European Economic Area (EEA) deemed to have less-stringent data privacy laws. SCCs form part of the various transfer mechanisms available under the GDPR that organisations can use for cross-border transfers of personal data.
  • The existing SCCs were adopted more than a decade ago and still refer to the old European data protection legislation which has been replaced by the GDPR. The new SCCs are GDPR-compliant.
  • The new SCCs look and feel very different to the old SCCs. They contain certain provisions which are applicable to all transfer scenarios – for example, introductory provisions, third party rights, details of transfers covered, accession mechanism. The new SCCs also contain modular provisions which are only applicable to a specific type of transfer scenario i.e. Controller to Controller, Controller to Processor, Processor to Processor, or Processor to Controller. These provisions deal with substantive data protection obligations, redress, liability, indemnification, and supervision.
  • As of 27 September 2021, organisations must use the new SCCs when entering into new contracts. Existing contracts using the old SCCs can however remain in place as long as the actual underlying data processing operations under the contract do not change, failing which the new SCCs should be used from that point on. Organisations should therefore review their contracts to check when they might expire, and/or whether data processing operations have changed, and get ready to include the new SCCs where applicable.
  • From 27 December 2022, existing contracts incorporating the old SCCs must be amended by this date to incorporate the new SCCs and organisations must take appropriate measures to comply with any requirements arising from such new SCCs.

For more information on this topic, or if you have any questions relating to data transfers, please contact the Philip Lee data privacy and technology team.

News and insights

IETA European Climate Summit 2024

IETA European Climate Summit 2024

Key Contacts: Lev Gantly - Partner  |   Anna Hickey - Partner Lev Gantly, Anna Hickey and Simon Puleston Jones will be attending the European Climate Summit 2024 from the 16-18 April in Florence, Italy. If you are also attending the summit, reach out to the team...

read more
Chambers and Partners Europe Rankings 2024

Chambers and Partners Europe Rankings 2024

We are pleased to be recognised in the latest Chambers and Partners Europe 2024 rankings across the firm. A special thank you to our clients for their continued support. Read the full rankings here.

read more
Paris Arbitration Week

Paris Arbitration Week

Key Contacts: Eimear Collins - Partner  |   Gerald Byrne - Partner Partners Eimear Collins and Gerald Byrne from our litigation team will be attending Paris Arbitration week on March 18. Paris Arbitration Week brings together legal professionals globally to discuss...

read more
Peter Crawford

Peter Crawford

It is with great sadness that we announce the unexpected and tragic passing of our colleague and dear friend Peter Crawford. Peter was with the firm for almost ten years, joining as an intern and most recently becoming a senior associate. He was an excellent lawyer...

read more
Share This