In the eve of the transition period for Brexit, the European Commission has released new draft Standard Contractual Clauses on 12 November. There are two sets of documents (the “New SCCs”) which are now open for public consultation until 10 December 2020, and are also subject to feedback from the European Data Protection authorities. It is expected that the New SCCs will be formally adopted by the European Commission in early 2021.
As currently released, there are two documents:
- Draft new standard contractual clauses for the transfer of personal data from the EU to third countries (“Third Country SCCs”); and
- Draft standard contractual clauses for data controllers when engaging processors within the EU, to comply with the requirements of Article 28 of the General Data Protection Regulations (“GDPR”), (the “Controller SCCs”).
The New SCCs are aiming at replacing the previous standard contractual clauses, which was the required safeguard under the GDPR for international transfers of personal data. According to the draft implementation timeline, companies who need to use the New SCCs will have twelve months from the date the New SCCs come into force to replace any existing standard contractual clauses currently being relied upon.
The Third Country SCCs aim to cover some weaknesses that the original standard contractual clauses were found to have. The Third Country SCCs take an adaptive form and have specific clauses that can be chosen to modify the function of the Third Country SCCs to cover controller-to-controller and controller-to-processor relationships. They then go further and also have provisions to cover processor-to-processor and processor-to-controller personal data transfers as well. This is far more comprehensive and will allow for the Third Country SCCs to model the practical function of how businesses interact with personal data.
A further element in the New SCCs is an optional Docking Clause, where new parties can be novated into the New SCCs either as a data importer or exporter by the addition of a further Annex.
The Controller SCCs are draft standard contractual clauses between controllers and processors both located in the EU. They include clauses containing the recommended wording for a controller to impose on the processor which satisfy the contractual requirements that the controller is obliged to impose under Article 28 of the GDPR.
These New SCCs bring clarity and further sophistication to the implementation of GDPR compliance. They will require businesses to assess their current data transfer arrangements and where necessary either put in place New SCCs or replace their existing set of standard contractual clauses to continue making transfers of personal data to affiliates and third parties located outside of the EEA in compliance with the GDPR.
The material contained in this article is only a general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.