European Commission Adopts New Standard Contractual Clauses Under GDPR

2024-09-27 01:00:30

On June 4, 2021, the European Commission formally adopted new Standard Contractual Clauses (SCCs) under the General Data Protection Regulation (GDPR). According to the GDPR, when a data exporter needs to transfer personal data from the European Economic Area (EEA) to a country that is not recognized by the EU as providing adequate protection for personal data, the data exporter and the data importer in that country can enter into SCCs. These clauses outline the conditions, responsibilities, and safeguards for the transfer of personal data. Currently, neither China nor the United States is recognized by the EU as providing adequate protection for personal data.

Transition Period

The new SCCs will take effect 20 days after their publication in the Official Journal of the European Union. The current SCCs will be repealed three months after the new SCCs take effect. During this three-month period, companies may still enter into contracts using the current SCCs. However, within 15 months after the repeal of the current SCCs, companies must re-execute contracts using the new SCCs. In other words, companies have a total of 18 months from the effective date of the new SCCs to make the necessary adjustments.

Key Highlights

This summary highlights only a few key points of the new SCCs. Companies subject to the GDPR are advised to review the full text of the clauses to better understand the requirements. The full text can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.

1. Coverage of Data Transfer Scenarios: The new SCCs cover four transfer scenarios: (i) controller-to-controller transfers, (ii) controller-to-processor transfers, (iii) processor-to-processor transfers, and (iv) processor-to-controller transfers. The current SCCs only apply to the first two scenarios. The new SCCs have a broader scope and are better suited to the complex and evolving data transfer and processing practices of today.

2. Inclusion of Data Processing Terms: The new SCCs not only regulate data transfers but also incorporate the requirements of Article 28 of the GDPR regarding data processing. The current SCCs do not include such provisions, requiring data exporters and data importers (if also data processors) to enter into separate data processing agreements. The new SCCs eliminate this need.

3. Data Transfer Assessment: The new SCCs require both the data exporter and the data importer to warrant that they have assessed the laws and regulations of the destination country and have no reason to believe that such laws would prevent the data importer from fulfilling its obligations under the SCCs. Additionally, the assessment must be documented in writing and provided to supervisory authorities upon request.

4. Data Subjects as Third-Party Beneficiaries: Under the new SCCs, data subjects (individuals whose personal data is being transferred) can act as third-party beneficiaries and directly enforce their rights against the data exporter or data importer. Under the current SCCs, data subjects cannot directly enforce their rights against the data importer unless the data exporter has effectively ceased to exist or no longer has a legal presence.

5. Joining by Additional Parties: The new SCCs allow non-original parties to join the clauses at a later time, provided that the existing parties agree. The identity of the joining party must be specified in the relevant annex.