On 4th June 2021, the European Commission adopted new standard contractual clauses (also referred to as New EU SCCs) for the transfer of personal data to what are known as ‘third countries’ (see below). These New EU SCCs will replace the current SCCs after a transitional period.
What are SCCs?
The standard contractual clauses (SCCs) are a set of standard terms that are provided by the European Commission to use for transfers of personal data to countries outside the EEA which have not been recognised by the European Commission (EC) as having data protection laws with an adequate level of protection for data subjects compared to those under EU law. These are known as ‘third countries’ because they do not have the benefit of an ‘adequacy decision’ in their favour from the EC.
Under the General Data Protection Regulation or GDPR, a transfer of personal data to a third country is prohibited. However, where there are appropriate safeguards in place to protect personal data, data transfers to third countries may be allowed. The SCCs are the most common method of safeguarding when it comes to such transfers because they include terms which effectively bring the transfer in line with European data protection laws.
New EU SCCs
On 4th June 2021, the European Commission published its final Implementing Decision adopting new standard contractual clauses. This follows the draft implementing decision and clauses issued by the European Commission for consultation on 12 November 2020.
The New EU SCCs have been available for use since 27 June of this year, and there is currently a transitional period in place for contracts using the old version of the SCCs.
The decision of the EC implementing the old SCCs will be repealed on 27 September 2021. From this date, organisations putting in place new contracts requiring SCCs will need to use the New EU SCCs.
Organisations that have entered into contracts prior to 27 September 2021 can rely on the old SCCs and will have until 27 December 2022 to replace existing contracts with the New EU SCCs. There is one exception to that: where the processing operations of existing contracts using old SCCs change, those contracts will need to be updated immediately to refer to the New EU SCCs.
Structure of the New EU SCCs
The New EU SCCs are modular and can therefore be used for transfers:
This plugs a gap that the old SCCs could not fill in that they (the old SCCs) only applied to controller to controller or controller to processor transfers.
The New EU SCCs also:
A transfer impact assessment is also now required when transferring data to a third country. For more information, look out for our next blog on Data Transfer Impact Assessments.
The SCCs and UK GDPR
Personal data transfers between the European Economic Area and the UK do not require SCCs as the EU has given its adequacy decision for the UK on 28 June 2021.
For data transfers between the UK and third countries, the New EU SCCs cannot be used. UK data protection legislation only references the standard contractual clauses which were approved as at 31 December 2020. These are a modification of the old SCCs (the UK SCCs).
The UK Information Commissioner has said that her Office will consult on a new, UK specific, International Data Transfer Agreement (IDTA) that may replace the UK SCCs.
It is important to note that, although the New EU SCCs are not valid in the UK, as a result of an important case decided by European Court, if you are making a restricted transfer from the UK using SCCs (i.e. to a third country), you must make an assessment as to whether those SCCs provide protection which is ‘essentially equivalent’ to the protections under UK data protection legislation and if they are not, put in place supplementary measures. See our DTIA blog referred to above for further information on that.
Although most users of your website will not read your terms, this is an important part of your business. Having to argue in court is expensive, so a little investment to avert the risk is a pragmatic approach. This article highlights some of the most common points which your terms should cover so that the risks explained below do not crystallise.
If your business involves sending personal data outside the UK and EEA, you may be aware of the need for a transfer risk assessment (TRA) to demonstrate that you have properly considered and mitigated any associated risks.
When it comes to commercial negotiations, they often don’t turn out the way you had hoped and then there is no going back. Instead of struggling on your own, losing a lot of management time and still not being sure you have got the best deal, let us negotiate for you.