Today the European Commission issued the new and long-awaited Standard Contractual Clauses, available here (SCCs). These new SCCs contain updates for the GDPR, and replace the three sets of SCCs that were adopted under the previous Data Protection Directive. The SCCs released today include the following modules:
- Controller to controller transfers,
- Controller to processor transfers,
- Processor to processor transfers, and
- Processor to controller transfers.
The draft SCCs had been open to consultation in December of 2020 (more on our previous blog here). The final drafts issued today will come into effect 20 days after publication on the Official Journal of the European Union, which should be sometime between the 25th and 30th of June 2021.
One concession between the draft and this final version is that organizations have been given an extra six months, or 18 months in total to substitute these new SCCs to govern transfers of data from the EEA to third countries. This means, organizations will have to switch all their existing Model Clause agreements to the new SCCs. The newly issued SCCs apply equally to private and public organizations that transfer data outside the EEA and can be used by controllers and processors not only located within the EEA but also those controllers and processors located outside of the EEA that are subject to the GDPR.
These new SCCs retain the ‘modular’ approach to accommodate various transfer scenarios and the complexity of modern processing and data flows. In addition, there is the flexibility to add additional clauses or safeguards to the SCCs so long as they do not conflicts with the SCCs or prejudice individuals’ fundamental rights granted under the European Charter of Fundamental Rights. The new SCCs are flexible so that two or more parties can agree to them and can join or adhere to them once entered into, which makes a pragmatic change from the prior version of the SCCs, although many organizations did implement multi-party agreements and use deeds of adherence.
These new SCCs also address issued raised by the CJEU’s Schrems II ruling and include provisions on data protection safeguards and rights of redress resulting in the SCCs ensuring that any personal data transferred retains essentially equivalent protection to the GDPR. Individuals will have the right to be informed of the categories of data transfer, a right to obtain a copy of the SCCs and to receive about any onward transfers of their personal data.
The new SCCs also include an obligation by both parties to make and document an assessment that local laws and practices in the country of the data importer are not affecting compliance with the Clauses. A final version of the EDPB recommendations on measures supplementing data transfer tools (more on our previous blog here) that may provide more guidance on this assessment are expected later this month, after the June 18 plenary meeting of the EDPB.
What do organizations have to do now?
Organizations should now start to
- Get an overview over their international data transfers,
- Identify situations where the “old” version of the EU Model Clauses are used,
- Make a local law risk assessment and document this assessment (per transfer),
- Within the next 18 months: Substitute the “old” version of the Model Clauses with the new version, and
- Use the new version of the Model Clauses and do the local law assessment for all future data transfers.
We at Reed Smith have been preparing for the new SCCs and have created a Data Transfer Assessment Tool that includes the option to automate the drafting of these new SCCs and document an assessment of the local laws of the third countries to which personal data is transferred. Feel free to contact us to learn more!