New Standard Contractual Clauses

Data protection has over the years become a constantly evolving regulatory landscape with fines and penalties increasing. The way that we process personal data has had to change and as a result forced us to think more about how it is processed with a consumer focused approach.

The European Commission published the final Standard Contractual Clauses (“SCC’s”) on 4th June 2021 for use from 27th September 2021 when transferring personal data outside the EU/EEA and can be used for all contracts including sub-processors and data processors within the same group.

The new SCC’s also have retrospective effect and any legacy contracts that include the old SCC’s will need to be replaced before 27 December 2022.

The EDPB in its final version of its recommendations on the supplementary measures required under the SCC’s sets out a six-step approach to establish whether there are any local laws and practices affecting compliance with the SCC’s.

This recommendation derives from the Schrems II case where the Bavarian data protection authority concluded that a German business using Mailchimp (a US based supplier) to send customers newsletters was unlawful.

The EDPB’s six steps are set out below:
1. Businesses should carry out data mapping exercise that covers sub-processors.
2. Make sure that the reason for processing can still be relied upon.
3. Look at each transfer on its own as to whether any laws, conditions or practices in the receiving third country can in practice impact the compliance with the GDPR safeguard levels that the SCC aims to achieve.
4. Identify and adopt the necessary supplementary measures to ensure an equivalent level of protection.
5. Take practical measures to implement the supplementary measures.
6. on a regular basis the protection afforded by the processor should be reviewed to ensure an equivalent level of protection.

The new SCC’s are long awaited as many businesses were preparing for this exercise and it will be a huge administrative project for many however, this will at least provide some clarity when transferring personal data outside the EU/EEA.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store