Following the debates surrounding the ECJ decision in the Schrems II case (case C-311/18) with regard to the US Privacy Shield, the effectiveness of the use of Standard Contractual Clauses (SCCs) as GDPR compliant international data transfer mechanism under article 46 of the GDPR had also been questioned.
Following further EDPB guidance on the adequate protection level and additional measures safeguarding the EU data protection level, it was obvious that the mere conclusion of SCCs may no longer be considered sufficient and that EU data controllers would have to further audit most of their non-EEA data importers on a case-by-case basis through further impact assessments in order to evaluate whether said third country data importers would be able to effectively comply with the SCCs.
On November 12, 2020, the European Commission published new draft SCCs for public consultation. The new SCCs have been adopted today (see EU Commission website).
The new set of SCCs introduces four types of SCCs governing controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller transfers, allowing data exporters to bring new legal certainty into their data transfers after the upheaval brought by the Schrems II decision.
The new SCCs introduce additional safeguards and formalise the impact assessment introduced by the earlier EDPB guidance. Data exporters may rely on SCCs but will have to assess priorly whether they will have to put in place additional technical, organisational or contractual measures, given the legislation of the concerned importing third country that is not offering appropriate safeguards and a sufficient and effective level of data protection according to EU standards.
The EU Commission’s decision on SCCs shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.
Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for transfers of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council was published in the Official Journal of June 7, 2021.
The previous Decisions 2001/497/EC and 2010/87/EU on standard clauses will be repealed with effect from 27 September 2021.
Contracts concluded before September 27, 2021 on the basis of these Decisions and the previous standard contractual clauses are deemed to provide adequate safeguards within the meaning of Article 46, paragraph 1, of the GDPR until December 27, 2022, provided that the processing operations which are the subject of the contract remain unchanged and the reliance on these clauses ensures that the transfer of personal data is subject to adequate safeguards.
In parallel, Commission Implementing Decision (EU) 2021/915 of June 4, 2021 on standard contractual clauses between controllers and processors under Article 28, paragraph 7, of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29, paragraph 7, of Regulation (EU) 2018/1725 of the European Parliament and of the Council was published. This Decision contains standard contractual clauses which may govern the relationship between a controller and its processor, and between a processor and a sub-processor within the meaning of Article 28(3) and (4) of the GDPR.
Do you have any questions? Please contact us at firstname.lastname@example.org.