Data Protection: New Standard Contractual Clauses published

The European Commission has this month adopted and published finalised versions of two new sets of Standard Contractual Clauses (“SCCs”).  One set of SSCs is for the transfer of personal data from the EEA to third countries.  The second set is for use between controllers and processors within the EEA to meet the requirements for controller-processor contracts. The new SCCs follow on from the European Commission’s draft implementing decisions on SSCs issued in November 2020.

What are standard contractual clauses?

SCCs for the transfer of personal data are standard sets of terms designed to ensure that the freedoms and rights of individuals are upheld when personal data leaves the EEA to a country outside the EEA.  These countries may not offer the same level of protection as EU data protection legislation and SCCs are used to address this deficiency.

There were previously three different sets of SCCs for international data transfers dating back to 2001, 2004 and 2010 published by the European Commission designed to cover two specific processing activities, controller-to-controller transfers and controller-to-processor transfers.

Whilst the previous SCCs for international data transfers were appropriate at the time, there have been significant developments in EU data protection legislation since they were introduced.  Two of the biggest developments are the introduction of the General Data Protection Regulation and the Court of Justice of the European Union’s decision in Schrems II which annulled the existing EU-US Privacy Shield and required supplementary measures to be taken in respect of data transfers to third countries.  The new SCCs for international data transfers make substantial changes to the existing SCCs to bring them up to date with these developments. These changes and the newly developed SCCs are intended to play a greater role in legitimising and protecting international data transfers.

SSCs & International data transfers - what changes have been made?

Some of the key changes include the following:

  • The new SCCs cover a wider range of processing activities and can be used for the following transfers:
    • controller-to-controller
    • controller-to-processor
    • processor-to controller and
    • processor-to-processor.

Processor-to-processor and processor-to-controller transfers were not covered by the previous SCCs.

  • The new SCCs are more flexible than their predecessors. A modular approach has been adopted which means that the SCCs have been consolidated into one document with relevant clauses to be selected as appropriate.
  • Scope for use by more than two parties. There is also a “docking clause” that can be used to allow additional parties to join the SSCs at a later date.
  • The new SCCs include a “practical toolbox” to aid compliance with the issues identified by Schrems II. In particular, they include a requirement to carry out and document an assessment of the laws of the destination country to ensure that the local laws do not prevent compliance with the SCCs and include examples of possible ‘supplementary measures', such as encryption.
SSCs & International data transfers - things to consider
  • The European Commission’s Implementing Decision was published on 7 June 2021 and comes into force on 27 June 2021.
  • The previous SCCs will cease to be valid for future use on 27 September 2021. As such, during the three-month transition period, parties seeking to enter into SCCs can choose to adopt the older versions or the newer version.  
  • All use of the previous SSCs must stop by 27 December 2022, i.e. 18 months after publication of the Implementing Decision.  Old style SCCs concluded before 27 September 2021 will remain valid until 27 December 2022 provided the data processing activities remain the same
SSCs & International data transfers - the UK

Importantly, the new SCCs only apply to personal data being transferred from the EEA to a third country. As such, they will not apply to transfers from the UK to a third country and in such circumstances, the previous SCCs should be adopted until such time as the UK Government publishes new SCCs to bring them up to date with the current legislation. The UK ICO has previously announced that it intends to consult on draft SSCs this summer.

SSCs for controller - processor contracts

The second set of SSCs, which are optional, contain provisions which are intended to allow controllers and processors within the EEA to meet the requirements of Article 28 of the GDPR and what must be included in data processing contracts.   

The new SCCs can be reviewed here.

How can we help?

If you have queries in relation to international data transfers, whether from the EU or the UK, data processing arrangements and the use of Standard Contractual Clauses, please get in touch with a member of our specialist Data Protection & Cyber Security team.

This article was co-written by Haris Saleem, Trainee Solicitor.

Latest updates from @MacRoberts