March 5, 2021

Volume XI, Number 64

Advertisement

March 04, 2021

Subscribe to Latest Legal News and Analysis

March 03, 2021

Subscribe to Latest Legal News and Analysis

March 02, 2021

Subscribe to Latest Legal News and Analysis

EDPB and EDPS Adopt Joint Opinions on Draft SCCs Posted on Janu

On January 15, 2020, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020, both for international transfers (“International SCCs”) and for controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). 

Once finalized, the International SCCs will replace the existing sets of SCCs, which were drafted under the Data Protection Directive, for transfers of personal data from within the EEA to organizations in non-EEA countries that have not been recognized as providing an adequate level of data protection. In those cases, the EU General Data Protection Regulation (“GDPR”) requires that a transfer mechanism be implemented. In the wake of the invalidation of the Privacy Shield in the Court of Justice of the European Union’s (the “CJEU”) Schrems II judgment, the majority of organizations will need to rely on the International SCCs to legitimize their transfers.

In a press release issued by the EDPB and EDPS, the EDPB Chair, Andrea Jelinek, commented that the EEA Controller-Processor SCCs were welcomed as a strong, EU-wide accountability tool to facilitate compliance with the GDPR, providing legal certainty to controllers and processors. The Chair requested, however, that sufficient clarity be provided as to the situations where these SCCs may be relied on. Several amendments also have been requested to provide clarity and ensure that the drafts operate practically, including with respect to the “docking clause” that allows new parties to accede to the SCCs. The bodies also requested clarifications with respect to the SCCs’ Annexes, and the roles and responsibilities that should be allocated to controllers and processors therein. The EDPS, Wojciech Wiewiórowski, stated that the aim should be to make the documents as future-proof as possible.

With respect to the International SCCs, the bodies stated that they welcomed the specific provisions intended to address issues identified in the Schrems II judgment, but several provisions could be improved or clarified, such as the SCCs’ scope; certain third party beneficiary rights; certain obligations regarding onward transfers; aspects of the assessment of third country laws regarding data access by public authorities; and the notification to supervisory authorities. The EDPB also highlighted the need for controllers to consider its Recommendations on supplementary measures alongside the SCCs and invited the European Commission to refer to the final version of these recommendations if they are adopted before the European Commission’s SCC decision.

Advertisement
Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 15
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement