On 4 June 2021, the European Commission adopted two sets of new Standard Contractual Clauses (“SCCs”), taking into account the Schrems II judgment:
- One set is for use between controllers and processors located in the EU/EEA (or otherwise subject to the GDPR): Effectively these SCCs contain the Art.28.3 and Art.28.4 GDPR compulsory wording) (“28.7 SCCs”); and
- The other set is for the transfer of personal data to Non-EU/EEA third countries (not subject to the GDPR) (“Third Country SCCs”).
The newly adopted “Art 28.7 SCCs” and “Third Country SCCs” come into effect on 27 June 2021 and companies which use the current version of SCCs (effectively the old SCCs) executed prior to 27 September 2021, have until 27 December 2022 to implement the new ones (provided the processing operations that are the subject matter of the contract – with the SCCs – remain unchanged and that reliance on those SCCs ensures that the transfer of personal data is subject to appropriate safeguards).
Another significant update to both sets of SCCs is that they allow more than two exporting parties to join the clauses. They also contain a docking clause which allows entities that were not initially parties to the SCCs to be added at a later date.
Both sets of SCCs forbid the parties to modify them, except for adding information to their Annexes, adding the SCCs to a broader contract, or adding additional safeguards provided that they do not directly or indirectly contradict the SCCs or detract from the fundamental rights or freedoms of data subjects.
1) Art 28.7 SCCs
The Art. 28.7 SCCs are standard contractual clauses laid down by the EU Commission for the matters referred to in Articles 28.3 and 28.4 GDPR.
Therefore, effectively, they are a template for use between controllers and processors located in EU/EEA (or otherwise subject to the GDPR).
2) Third Country SCCs
The Third Country SCCs govern the transfer of personal data to non-adequate EU/EEA third countries (not subject to the GDPR).
The Third Country SCCs are a single set covering a broad range of transfer scenarios, instead of separate sets of clauses. They follow a modular structure which significantly expands the scope and application of the SCCs compared to the previous version, covering the following scenarios (“Modules”):
- Controllers within the EU/EEA transferring personal data to controllers outside of the EU/EEA;
- Controllers within the EU/EEA transferring personal data to processors outside of the EU/EEA;
- Processors within the EU/EEA transferring personal data to subprocessors outside of the EU/EEA;
- Processors within the EU/EEA transferring personal data to controllers outside of the EU/ EEA.
In addition to the general clauses, controllers and processors should select the Modules applicable to their situation, so as to tailor their obligations under the Third Country SCCs to their role and responsibilities in relation to the data processing.
The new Third Country SCCs cover non-EEA/EU entities and can therefore be used by non-EEA/EU entities (subject to the GDPR) who are exporting personal data to another non-EU entity.
Use of SCCs in the UK
At the moment, it is possible for UK data exporters to keep using the previous set of EU SCCs to regulate restricted transfers from the UK.
The UK’s ICO announced that the new Art. 28.7 SCCS and the Third Country SCCs are not applicable for transfers under the UK GDPR. In May 2021, the ICO announced that it is working on its own set of SCCs for transfers outside of the UK.
Please contact Jose Saras if you have any questions.
The material contained in this article is only a general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.