European Commission Publishes Final Version of SSC, Imposes Obligations on Data Controllers and Processors

Written by

Achieved Compliance

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses (“SCC”) for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”). The Commission also released the final version of the new SCCs. The new version of SCC is in part a response to the decision in the Schrems II case, which raised questions about whether they provide necessary protections for the trans-Atlantic transfer of data.

The guidance makes clear that companies using SCCs will face new compliance challenges. The implementing decision makes the important point that the controllers and processors will need to do more in advance of signing them.
To meet SCC requirements, companies, whether data importers or exporters, must understand the nature and extent of the transferred data and establish necessary protections to comply with the SCCs' requirements. Stated simply, companies will need to conduct a data protection impact assessment to understand what risks the transfer of data will raise and take steps to address them.

Companies will also need to document the steps it takes to fulfill the requirements of the SCCs.

The implementing decision also imposes significant additional requirements:

  • The controller and processor should be able to demonstrate compliance;
  • The importer should maintain appropriate documentation for the processing activities for which it is responsible;
  • The data importer must promptly inform the data exporter if it becomes unable to comply with the clauses, for any reason.
  • Should the data importer breach the clauses or be unable to comply with them, the data exporter should end the transfer of data and, in serious cases, have the right to terminate the contract, as it concerns the processing of personal data under the SCCs.

Clearly decision means organizations have to take far more significant action than previously. Organizations use SCCs to ensure they implement appropriate data protection safeguards for international data transfers. Therefore, the controller or processor transferring the personal data to a third country (the ‘data exporter’) and the controller or processor receiving the personal data (the ‘data importer’) can incorporate those standard contractual clauses in a wider contract and add other clauses or additional safeguards, provided they do not contradict the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects. Encouragement is given for controllers and processors to offer additional safeguards through contractual commitments supplementing the standard contractual clauses.

All organizations will likely need to replace the old SCCs with the new SCCs by approximately December 2022 at the latest. For many organizations with a large number of contractual relationships, that means time is of the essence.

Achieved Compliance offers expert support and a clear action plan. Contact us today.