New standard clauses for transfers outside the EU/EEA

Under point (c) of Article 46(2) of the General Data Protection Regulation, the European Commission may adopt SCCs, which can then be used by data controllers and data processors as a transfer basis when transferring personal data to countries outside the EU/EEA (third countries).

In November 2020, the European Commission published a draft of the new SCCs. The new SCCs should be seen in the context of the European Court of Justice’s judgement in the Schrems II case of July 2020. The CJEU ruled that transfers of personal data to third countries must have protection essentially equivalent to the level of protection provided for in the General Data Protection Regulation and that SCCs are no longer sufficient in all situations to achieve this protection by default.

The new SCCs constitute one of the main transfer bases for transfers to third countries and will, together with the final versions of the EDPB's recommendations for additional measures, address the challenges of the Schrems II decision in practice.
 

THE NEW CONTENT

The textual content has been updated and is now in line with the wording of the General Data Protection Regulation. The new SCCs consist of a document with built-in modules and can therefore cover four different scenarios:

1) Transfer from a data controller to a data controller
2) Transfer from a data controller to a data processor
3) Transfer from a data processor to a data processor
4) Transfer from a data processor to a data controller

These scenarios all concern transfers from a data exporter located within the EU/EEA to a data importer located in a third country.

The new SCCs provide that SCC's take precedence over other agreements between the parties in the case of a discrepancy between the SCC and the other agreement (clause 5). Also, the new SCCs are more flexible than the previous ones, as it is now possible to add more provisions or measures to the SCC, as long as they do not conflict with the original text (clause 2).

With the new SCCs, the transparency is increased for the data subject, as the data subjects now have the right to receive a copy of the SCCs used as a transfer basis, and the data subjects must be informed of this right (clause 8).

It is also worth noting that the new SCCs provide that the data importer is obliged to inform the data exporter if public authorities access the transferred personal data (clause 15).

The new SCCs also provide for the possibility of using a "docking" clause under which it is possible for third parties to join the agreement. This will make it easier to handle party replacement over time (Clause 7).

ENTRY INTO FORCE

The new SCCs are particularly relevant to data processors and data controllers who already transfer personal data to third countries. The SCCs entered into force on 27 June 2021 and will finally replace the former SCCs on 27 September 2021. After that, all transfer agreements must be concluded according to the new SCCs. All transfers that are or will be based on the previous SCCs by 27 September 2021 can continue until 27 December 2022 and must then be replaced.

NJORD'S COMMENTS

The new SCCs are particularly relevant to data processors and data controllers who are already transferring personal data to third countries. In this case, preparations should be made to replace the former SCCs, any contract with a data importer should be updated based on this.