European Commission Publishes Two Sets of SCCs
June 04, 2021
Sarah Pearce, Ashley Webber, and Daniel Sullivan-Byrne
After several months of speculation, the European Commission has, today, adopted the following sets of Standard Contractual Clauses (SCCs):
- SCCs for the transfer of personal data to third countries; and
- SCCs for controllers and processors in the EU/EEA.
As is noted in the press release, the new SCCs have been prepared to reflect the requirements of the GDPR and, more topically, to take into account the decision of the Court of Justice of the European Union known as Schrems II which, as we know, called into question the lawfulness of international transfers of personal data using the existing SCCs. The new SCCs are intended to “offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers”.
We have noted below our initial key takeaways from each set of SCCs.
SCCs for transfers of personal data to third countries
- There will be an 18 month grace period for companies to replace existing SCCs with the new SCCs.
- The adopted version of the SCCs follows a very similar structure and form to the draft published in November 2020.
- As was proposed in the draft form, the SCCs follow a “modules based” approach such that we now have one set of SCCs to cover 4 possible transfers, namely:
- Controller to Controller
- Controller to Processor
- Processor to Processor
- Processor to Controller
- As noted above, the new SCCs have been greatly influenced by the Schrems II decision. For example, Clause 8 (which applies to all modules) states that: “The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.” A substantial criticism of the existing SCCs by the Court in Schrems II was that they were not being used in the manner intended i.e. data exporters simply executed the SCCs without taking any steps to ensure the data importer could actually provide adequate protection to the personal data processed in the third country. A further example can be seen in Section III of the new SCCs which includes a series of Clauses designed to protect the personal data once transferred to the third country from access by a governmental authority based on local laws.
SCCs for controllers and processors in the EU/EEA
- These SCCs are intended to provide companies entering into a controller/processor relationship (as regulated by the GDPR) with a standard form contract which satisfies the requirements of Article 28 of the GDPR. As this is the first set of SCCs prepared for this purpose, and their use is optional, there is no implementation period as with the international transfer SCCs.
- The adopted version follows a very similar structure and form to the draft published in November 2020, i.e. the provisions generally closely follow Article 28(3) of the GDPR.
- The onus remains on the parties wishing to use the SCCs to accurately document the data processing particulars in Annex II, e.g. categories of data subjects and personal data, and nature and purpose of processing.
The priority in the coming months will, for most, be on the SCCs for international transfers – many have been waiting since the Schrems II before implementing any updates to existing arrangements. Key actions are the following:
- If not already underway, organisations should be mapping out existing and new international data flows in order to identify where transfers are currently taking place based on the existing SCCs or with no transfer mechanism at all.
- The terms of the new SCCs will require careful review in order to fully understand how they are intended to operate.
We are already assisting clients with implementation and will be following up in due course with a full analysis of the terms of the SCCs, including commentary on how they should be used in practice.