Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

European Commission Adopts New Standard Contractual Clauses 

June 15, 2021By Preiskel & Co

On 4 June 2021, the European Commission adopted two sets of new Standard Contractual Clauses (“SCCs”), taking into account the Schrems II judgment:

  1. One set is for use between controllers and processors located in the EU/EEA (or otherwise subject to the GDPR): Effectively these SCCs contain the Art.28.3 and Art.28.4 GDPR compulsory wording) (“28.7 SCCs”); and
  2. The other set is for the transfer of personal data to Non-EU/EEA third countries (not subject to the GDPR) (“Third Country SCCs”).

The newly adopted “Art 28.7 SCCs” and “Third Country SCCs” come into effect on 27 June 2021 and companies which use the current version of SCCs (effectively the old SCCs) executed prior to 27 September 2021, have until 27 December 2022 to implement the new ones (provided the processing operations that are the subject matter of the contract – with the SCCs – remain unchanged and that reliance on those SCCs ensures that the transfer of personal data is subject to appropriate safeguards).

Another significant update to both sets of SCCs is that they allow more than two exporting parties to join the clauses. They also contain a docking clause which allows entities that were not initially parties to the SCCs to be added at a later date.

Both sets of SCCs forbid the parties to modify them, except for adding information to their Annexes, adding the SCCs to a broader contract, or adding additional safeguards provided that they do not directly or indirectly contradict the SCCs or detract from the fundamental rights or freedoms of data subjects.

1) Art 28.7 SCCs

The Art. 28.7 SCCs are standard contractual clauses laid down by the EU Commission for the matters referred to in Articles 28.3 and 28.4 GDPR.

Therefore, effectively, they are a template for use between controllers and processors located in EU/EEA (or otherwise subject to the GDPR).

2) Third Country SCCs

The Third Country SCCs govern the transfer of personal data to non-adequate EU/EEA third countries (not subject to the GDPR).

The Third Country SCCs are a single set covering a broad range of transfer scenarios, instead of separate sets of clauses. They follow a modular structure which significantly expands the scope and application of the SCCs compared to the previous version, covering the following scenarios (“Modules”):

  1. Controllers within the EU/EEA transferring personal data to controllers outside of the EU/EEA;
  2. Controllers within the EU/EEA transferring personal data to processors outside of the EU/EEA;
  3. Processors within the EU/EEA transferring personal data to subprocessors outside of the EU/EEA;
  4. Processors within the EU/EEA transferring personal data to controllers outside of the EU/ EEA.

In addition to the general clauses, controllers and processors should select the Modules applicable to their situation, so as to tailor their obligations under the Third Country SCCs to their role and responsibilities in relation to the data processing.

The new Third Country SCCs cover non-EEA/EU entities and can therefore be used by non-EEA/EU entities (subject to the GDPR) who are exporting personal data to another non-EU entity.

Use of SCCs in the UK

At the moment, it is possible for UK data exporters to keep using the previous set of EU SCCs to regulate restricted transfers from the UK.

The UK’s ICO announced that the new Art. 28.7 SCCS and the Third Country SCCs are not applicable for transfers under the UK GDPR. In May 2021, the ICO announced that it is working on its own set of SCCs for transfers outside of the UK.

Please contact Jose Saras if you have any questions.

The material contained in this article is only a general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.

 

Latest Preiskel & Co blog posts
  • CMA AI Report: The Foundation of the UK’s AI Response
    September 21, 2023
  • Navigating Health Data Compliance: A Roadmap for Employers
    September 21, 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK
    September 15, 2023
  • Practical Guide – Net Neutrality in the UK
    September 14, 2023
  • Virgin succeeded in defending a claim by EE for loss of EE’s profits caused by Virgin’s breach of the MVNO Exclusivity Clause
    September 12, 2023
  • Getting out of a (data) scrape: global statement published for the protection of publicly accessible personal data online
    September 8, 2023
  • The dark side of design: the ICO and CMA call for businesses to rethink their website layouts
    August 18, 2023
  • Could the Supreme Court’s ruling on litigation funding agreements cause havoc for litigation funders?
    August 17, 2023
  • US Threats of a ‘Te(ch)xodus’ from the UK?
    August 17, 2023
  • Smoother Sailing for EU-US Data Transfers after GDPR Adequacy Decision
    August 4, 2023
  • Unlocking Data Flows: EU-US Data Privacy Framework Receives Adequacy Decision
    July 13, 2023
  • UK’s World Leading Approach on Artificial Intelligence – White Paper outlines 5 guideline principles for responsible use of AI
    July 5, 2023

The Preiskel Blog

  • CMA AI Report: The Foundation of the UK’s AI Response 21 Sep 2023
  • Navigating Health Data Compliance: A Roadmap for Employers 21 Sep 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK 15 Sep 2023
  • Practical Guide – Net Neutrality in the UK 14 Sep 2023

Preiskel news

  • Practical Guide – Net Neutrality in the UK
  • Danny Preiskel featured in GCCM Magazine (June/July 2023 issue 55)  
  • Danny Preiskel moderating a panel at the MEF Connects – The Future of Fraud Prevention event (5th September 2023, hybrid)
  • Preiskel & Co advised TMT Analysis on the acquisition of Phronesis Technologies
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy