Data Protection: New Standard Contractual Clauses published

The European Commission has this month adopted and published finalised versions of two new sets of Standard Contractual Clauses (“SCCs”).  One set of SSCs is for the transfer of personal data from the EEA to third countries.  The second set is for use between controllers and processors within the EEA to meet the requirements for controller-processor contracts. The new SCCs follow on from the European Commission’s draft implementing decisions on SSCs issued in November 2020.

What are standard contractual clauses?

SCCs for the transfer of personal data are standard sets of terms designed to ensure that the freedoms and rights of individuals are upheld when personal data leaves the EEA to a country outside the EEA.  These countries may not offer the same level of protection as EU data protection legislation and SCCs are used to address this deficiency.

There were previously three different sets of SCCs for international data transfers dating back to 2001, 2004 and 2010 published by the European Commission designed to cover two specific processing activities, controller-to-controller transfers and controller-to-processor transfers.

Whilst the previous SCCs for international data transfers were appropriate at the time, there have been significant developments in EU data protection legislation since they were introduced.  Two of the biggest developments are the introduction of the General Data Protection Regulation and the Court of Justice of the European Union’s decision in Schrems II which annulled the existing EU-US Privacy Shield and required supplementary measures to be taken in respect of data transfers to third countries.  The new SCCs for international data transfers make substantial changes to the existing SCCs to bring them up to date with these developments. These changes and the newly developed SCCs are intended to play a greater role in legitimising and protecting international data transfers.

SSCs & International data transfers - what changes have been made?

Some of the key changes include the following:

  • The new SCCs cover a wider range of processing activities and can be used for the following transfers:
    • controller-to-controller
    • controller-to-processor
    • processor-to controller and
    • processor-to-processor.

Processor-to-processor and processor-to-controller transfers were not covered by the previous SCCs.

  • The new SCCs are more flexible than their predecessors. A modular approach has been adopted which means that the SCCs have been consolidated into one document with relevant clauses to be selected as appropriate.
  • Scope for use by more than two parties. There is also a “docking clause” that can be used to allow additional parties to join the SSCs at a later date.
  • The new SCCs include a “practical toolbox” to aid compliance with the issues identified by Schrems II. In particular, they include a requirement to carry out and document an assessment of the laws of the destination country to ensure that the local laws do not prevent compliance with the SCCs and include examples of possible ‘supplementary measures', such as encryption.
SSCs & International data transfers - things to consider
  • The European Commission’s Implementing Decision was published on 7 June 2021 and comes into force on 27 June 2021.
  • The previous SCCs will cease to be valid for future use on 27 September 2021. As such, during the three-month transition period, parties seeking to enter into SCCs can choose to adopt the older versions or the newer version.  
  • All use of the previous SSCs must stop by 27 December 2022, i.e. 18 months after publication of the Implementing Decision.  Old style SCCs concluded before 27 September 2021 will remain valid until 27 December 2022 provided the data processing activities remain the same
SSCs & International data transfers - the UK

Importantly, the new SCCs only apply to personal data being transferred from the EEA to a third country. As such, they will not apply to transfers from the UK to a third country and in such circumstances, the previous SCCs should be adopted until such time as the UK Government publishes new SCCs to bring them up to date with the current legislation. The UK ICO has previously announced that it intends to consult on draft SSCs this summer.

SSCs for controller - processor contracts

The second set of SSCs, which are optional, contain provisions which are intended to allow controllers and processors within the EEA to meet the requirements of Article 28 of the GDPR and what must be included in data processing contracts.   

The new SCCs can be reviewed here.

How can we help?

If you have queries in relation to international data transfers, whether from the EU or the UK, data processing arrangements and the use of Standard Contractual Clauses, please get in touch with a member of our specialist Data Protection & Cyber Security team.

This article was co-written by Haris Saleem, Trainee Solicitor.

Latest updates from @MacRoberts

  • Huge congratulations to Rebecca Cox in our Corporate Finance team who has been shortlisted for the Rising Star of t… https://t.co/sgIS8tsxej 1 hour ago
  • MacRoberts is delighted to be shortlisted at this year’s Scottish Legal Awards! We're up for Firm of the Year & t… https://t.co/LfaBwKCeXC 19 hours ago
  • Have you and your partner been considering moving in together? Are you aware of the legal implications that this ma… https://t.co/BCgW2nHnCR 29/07/2021
  • Following a consultation in 2019, the UK Government has outlined its intention to introduce a mandatory duty on emp… https://t.co/2XBrafRQ22 29/07/2021
  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… https://t.co/sOwEmv13fP 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021