Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • D A T Green
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
    • Rachael Machado
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

European Commission Adopts New Standard Contractual Clauses 

June 15, 2021By Preiskel & Co

On 4 June 2021, the European Commission adopted two sets of new Standard Contractual Clauses (“SCCs”), taking into account the Schrems II judgment:

  1. One set is for use between controllers and processors located in the EU/EEA (or otherwise subject to the GDPR): Effectively these SCCs contain the Art.28.3 and Art.28.4 GDPR compulsory wording) (“28.7 SCCs”); and
  2. The other set is for the transfer of personal data to Non-EU/EEA third countries (not subject to the GDPR) (“Third Country SCCs”).

The newly adopted “Art 28.7 SCCs” and “Third Country SCCs” come into effect on 27 June 2021 and companies which use the current version of SCCs (effectively the old SCCs) executed prior to 27 September 2021, have until 27 December 2022 to implement the new ones (provided the processing operations that are the subject matter of the contract – with the SCCs – remain unchanged and that reliance on those SCCs ensures that the transfer of personal data is subject to appropriate safeguards).

Another significant update to both sets of SCCs is that they allow more than two exporting parties to join the clauses. They also contain a docking clause which allows entities that were not initially parties to the SCCs to be added at a later date.

Both sets of SCCs forbid the parties to modify them, except for adding information to their Annexes, adding the SCCs to a broader contract, or adding additional safeguards provided that they do not directly or indirectly contradict the SCCs or detract from the fundamental rights or freedoms of data subjects.

1) Art 28.7 SCCs

The Art. 28.7 SCCs are standard contractual clauses laid down by the EU Commission for the matters referred to in Articles 28.3 and 28.4 GDPR.

Therefore, effectively, they are a template for use between controllers and processors located in EU/EEA (or otherwise subject to the GDPR).

2) Third Country SCCs

The Third Country SCCs govern the transfer of personal data to non-adequate EU/EEA third countries (not subject to the GDPR).

The Third Country SCCs are a single set covering a broad range of transfer scenarios, instead of separate sets of clauses. They follow a modular structure which significantly expands the scope and application of the SCCs compared to the previous version, covering the following scenarios (“Modules”):

  1. Controllers within the EU/EEA transferring personal data to controllers outside of the EU/EEA;
  2. Controllers within the EU/EEA transferring personal data to processors outside of the EU/EEA;
  3. Processors within the EU/EEA transferring personal data to subprocessors outside of the EU/EEA;
  4. Processors within the EU/EEA transferring personal data to controllers outside of the EU/ EEA.

In addition to the general clauses, controllers and processors should select the Modules applicable to their situation, so as to tailor their obligations under the Third Country SCCs to their role and responsibilities in relation to the data processing.

The new Third Country SCCs cover non-EEA/EU entities and can therefore be used by non-EEA/EU entities (subject to the GDPR) who are exporting personal data to another non-EU entity.

Use of SCCs in the UK

At the moment, it is possible for UK data exporters to keep using the previous set of EU SCCs to regulate restricted transfers from the UK.

The UK’s ICO announced that the new Art. 28.7 SCCS and the Third Country SCCs are not applicable for transfers under the UK GDPR. In May 2021, the ICO announced that it is working on its own set of SCCs for transfers outside of the UK.

Please contact Jose Saras if you have any questions.

The material contained in this article is only a general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.

 

Latest Preiskel & Co blog posts
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data
    March 28, 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets
    March 22, 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape
    March 22, 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill
    March 17, 2023
  • Stormy weather for cloud computing in the EU
    March 16, 2023
  • Inmarsat Takeover Provisionally Cleared for Take-Off
    March 10, 2023
  • EDPB’s Feedback on the New EU-U.S. Data Privacy Framework
    March 6, 2023
  • UK Data Reform Bill to return to the House of Commons
    March 3, 2023
  • DCMS Publishes New Security and Privacy Principles for App Store Operators and Developers
    February 16, 2023
  • DPO’s Dismissal & Conflicts of Interest Under The EU GDPR – CJEU Ruling
    February 14, 2023
  • ICO – Change of Deadline for Reporting Breach Notifications for Communication Service Providers
    February 6, 2023
  • General EU Requirements for Cookie Banners – EDPB Task Force Report
    January 27, 2023

The Preiskel Blog

  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data 28 Mar 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets 22 Mar 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape 22 Mar 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill 17 Mar 2023

Preiskel news

  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, will be a panellist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
  • Ronnie Preiskel chosen to judge 24 May 2023 The Tech Capital Global Awards
Preiskel tweets
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data. Find out more here: https://t.co/bJkvPBvj6F3 hours ago
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill. Find out more: https://t.co/3BHP1xq69Y5 days ago
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets. Find o… https://t.co/S7J7sX3kfs6 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy