EU Commission Issues New Standard Contractual Clauses

The European Commission issued two new sets of standard contractual clauses (SCC) which can be used to legalize the transfer and processing of personal data that is subject to the GDPR. The first set is SCCs for international transfers, which may be used when transferring personal data to destinations that are outside the European Economic Area (EEA) in countries that have not been recognized with an adequacy decision of the EU Commission. The second set is SCCs that serve as a certified “Data Processing Agreement” between controllers and processors that are subject to the GDPR.

The new SCCs for international transfers are drafted in a modular fashion that flexibly supports different cross-border data transfer scenarios: controller-to-controller, controller-to-processor, processor-to-subprocessor, and processor-to-controller. These SCCs also include a “docking” clause enabling additional actors to sign the SCCs subsequently as additional controllers or processors.

The new SCCs for international transfers also aim to cover the additional obligations imposed on data importers and exporters amid the 2020 Schrems II decision of the Court of Justice of the European Union and the final recommendations of the European Data Protection Board on cross-border transfers. Under the new SCCs, the parties undertake to assess the laws of the country of destination and to represent that they have no reason to believe that those laws would diminish the data safeguards that the data importer is committed to under the SCCs.

These SCCs are effective as of June 27, 2021, and may be used from that day forth. Commencing September 27, parties must use these new SCCs for new data transfer scenarios. Parties then have until December 27, 2022, to migrate their legacy transfer agreements which use the old SCCs, to the new SCCs.

The second set of SCCs for controllers and processors provides an optional boilerplate “data processing agreement” that covers all the substance that Article 28 of the GDPR requires to have in place in a contract between a controller and a processor. They may be used instead of the data processing agreements that controllers usually draft themselves for this purpose. These SCCs may be used commencing June 27, 2021.

CLICK HERE to read the SCCs for international data transfers.

CLICK HERE to read the SCCs for controllers and processors.