On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses (“SCC”) for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”). The Commission also released the final version of the new SCCs. The new version of SCC is in part a response to the decision in the Schrems II case, which raised questions about whether they provide necessary protections for the trans-Atlantic transfer of data.
The guidance makes clear that companies using SCCs will face new compliance challenges. The implementing decision makes the important point that the controllers and processors will need to do more in advance of signing them.
To meet SCC requirements, companies, whether data importers or exporters, must understand the nature and extent of the transferred data and establish necessary protections to comply with the SCCs' requirements. Stated simply, companies will need to conduct a data protection impact assessment to understand what risks the transfer of data will raise and take steps to address them.
Companies will also need to document the steps it takes to fulfill the requirements of the SCCs.
Clearly decision means organizations have to take far more significant action than previously. Organizations use SCCs to ensure they implement appropriate data protection safeguards for international data transfers. Therefore, the controller or processor transferring the personal data to a third country (the ‘data exporter’) and the controller or processor receiving the personal data (the ‘data importer’) can incorporate those standard contractual clauses in a wider contract and add other clauses or additional safeguards, provided they do not contradict the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects. Encouragement is given for controllers and processors to offer additional safeguards through contractual commitments supplementing the standard contractual clauses.
All organizations will likely need to replace the old SCCs with the new SCCs by approximately December 2022 at the latest. For many organizations with a large number of contractual relationships, that means time is of the essence.
Achieved Compliance offers expert support and a clear action plan. Contact us today.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.