Since 27 September 2021 organisations must implement the new Standard Contractual Clauses, adopted by the European Commission, when entering into new contracts which involve a cross-border transfer of personal data outside of the EEA.
- Since the reformulation of Standard Contractual Clauses (SCCs) adopted by the European Commission, and published in the Official Journal on 7 June 2021, organisations must be mindful of the actions they need to take in respect of their contracts, from a data protection standpoint.
- In short, SCCs are a set of standard contractual terms approved by the European Commission for cross-border transfers of personal data where those transfers involve the sending of data to a country outside of the European Economic Area (EEA) deemed to have less-stringent data privacy laws. SCCs form part of the various transfer mechanisms available under the GDPR that organisations can use for cross-border transfers of personal data.
- The existing SCCs were adopted more than a decade ago and still refer to the old European data protection legislation which has been replaced by the GDPR. The new SCCs are GDPR-compliant.
- The new SCCs look and feel very different to the old SCCs. They contain certain provisions which are applicable to all transfer scenarios – for example, introductory provisions, third party rights, details of transfers covered, accession mechanism. The new SCCs also contain modular provisions which are only applicable to a specific type of transfer scenario i.e. Controller to Controller, Controller to Processor, Processor to Processor, or Processor to Controller. These provisions deal with substantive data protection obligations, redress, liability, indemnification, and supervision.
- As of 27 September 2021, organisations must use the new SCCs when entering into new contracts. Existing contracts using the old SCCs can however remain in place as long as the actual underlying data processing operations under the contract do not change, failing which the new SCCs should be used from that point on. Organisations should therefore review their contracts to check when they might expire, and/or whether data processing operations have changed, and get ready to include the new SCCs where applicable.
- From 27 December 2022, existing contracts incorporating the old SCCs must be amended by this date to incorporate the new SCCs and organisations must take appropriate measures to comply with any requirements arising from such new SCCs.
For more information on this topic, or if you have any questions relating to data transfers, please contact the Philip Lee data privacy and technology team.