December 1, 2021

Volume XI, Number 335


December 01, 2021

Subscribe to Latest Legal News and Analysis

November 30, 2021

Subscribe to Latest Legal News and Analysis

November 29, 2021

Subscribe to Latest Legal News and Analysis

Implementation of New Standard Contractual Clauses

On 12 November 2020, the European Commission (Commission) published a draft Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (GDPR) along with its draft set of new standard contractual clauses (the New SCCs).

Background: Restricted Transfers Under GDPR

The GDPR primarily applies to controllers and processors located in the European Economic Area (EEA), with some exceptions. Individuals risk losing protection under the GDPR if their personal data is transferred outside of the EEA. The GDPR, therefore, restricts such transfers ('restricted transfers'), unless rights of individuals are protected in another way or an exception applies.

A restricted transfer can be made if it is necessary to meet your purposes and one of the following three conditions are satisfied:

1. If the country or territory where the data recipient is located, or the specific sector in that territory in which the data recipient operates, is subject to the Commission's 'adequacy decision'.

  • This is a decision that the legal framework in a particular country or territory provides 'adequate' protection for individuals' rights and freedoms for their personal data.

  • So far, the Commission has recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Adequacy talks are ongoing with South Korea.

2. If there is no relevant adequacy decision, but you have implemented one or more of the 'appropriate safeguards' listed in the GDPR. These safeguards are to ensure you and the recipient are legally required to protect individuals' rights and freedoms for their personal data. One example is that you and the data recipient based outside the EEA have entered into a contract incorporating standard data protection clauses adopted by the Commission (i.e., standard contractual clauses (SCCs)). The Commission has adopted four sets of SCCs under the GDPR. The draft Implementing Decision seeks to replace these with the New SCCs, which are annexed to the decision.

3. If your proposed restricted transfer is not covered by an adequacy decision nor appropriate safeguards, an exception in the GDPR applies. For example, there is an exception if the individual has given their explicit consent to the restricted transfer or it is necessary to perform a contract you have with the individual. Note, however, that relying on an exception is a last resort option.

The New Standard Contractual Clauses

The draft Implementing Decision explains that the SCCs previously adopted by the Commission needed to be updated and modernised due to new requirements in the GDPR and developments in the digital economy.

The New SCCs combine general clauses with a modular approach, to cater for various transfer scenarios and the complexity of modern data-processing chains. Controllers and processors should use the general clauses and, in addition, select the modules applicable to their situations. The modules vary based on the transfer scenario and designation of the parties under the GDPR and distinguish (1) controller-to-controller transfers; (2) controller-to-processor transfers; (3) processor-to-processor transfers; and (4) processor-to-controller transfers. This approach allows you to tailor your obligations to your corresponding role and responsibility in relation to the data processing at issue.

Other Key Features of the New SCCs

  • It is possible for more than two parties to adhere to the New SCCs and additional parties can accede throughout the cycle of the contract.

  • The New SCCs may be used for transfer of personal data to a sub-processor in a non-EEA country, subject to certain exceptions.

  • With certain exceptions, data subjects should be able to invoke the New SCCs as third-party beneficiaries. This means that the law chosen as governing the contract must allow for third-party beneficiary rights.

  • The New SCCs provide for rules on liability between the parties and with respect to data subjects and rules on indemnification between the parties.

  • Where a data subject suffers damage as a consequence of breach of third-party beneficiary rights under the New SCCs, they would be entitled to compensation.

  • The laws of the country of the recipient must not prevent you from complying with the New SCCs.

When Will the New SCCs Be Adopted?

The adoption process for the New SCCs requires an opinion of the European Data Protection Board and the positive vote of EU Member States through the comitology procedure (which requires the Commission to consult a committee in which each EU country is represented before it can adopt an implementing act). The final SCCs are expected to be adopted early this year.

©2021 Katten Muchin Rosenman LLPNational Law Review, Volume XI, Number 64

About this Author

Karen Artz Ash, Intellectual Property Attorney, Katten Muchin

Designers, apparel manufacturers and other clothing businesses seek out Karen Artz Ash, national co-chair of Katten’s Intellectual Property department and co-head of the Trademarks and Trademark Litigation practice, because of her experience in all aspects of intellectual property, trademarks and copyrights.

Karen handles the structuring and administration of intellectual property, including establishing holding companies and trusts, and the creation, development, implementation and administration of licensing, servicing and manufacturing for companies worldwide....

Doron Goldstein, Katten Muchin Law Firm, Intellectual Property Attorney

Doron S. Goldstein's practice primarily deals with intellectual property, information technology and advertising, marketing and branded entertainment transactions and counseling, including privacy and information security, trademark, copyright, software and technology matters, and he is co-head of Katten's Advertising, Marketing and Promotions practice and of the firm's Privacy, Data and Cybersecurity group.

Doron regularly advises on various aspects of integrated marketing campaigns, including talent and production agreements, advertising agency...

Christopher Hitchins, Katten Muchin London UK, investment documentation attorney, labor disputes management lawyer

Christopher Hitchins focuses his practice on the full range of employment law issues, acting for employers or senior individuals in a wide range of sectors, with a particular focus on the financial services, technology, hotel, retail and media industries.

Chris advises on all contentious and non-contentious UK employment law matters. He has significant experience advising on senior executive employment, partnership and investment documentation, managing disputes and exits as well as team moves, advising businesses on restructurings involving the...

44 (0) 20 7776 7663
Sarah Simpson, Katten Law Firm, London, Intellectual Property Attorney

Sarah Simpson is an associate at Katten Muchin Rosenman UK LLP. Sarah practices commercial and intellectual property law, with a particular focus on EU and UK trademarks, brand protection, copyright, design rights, data protection, commercial contracts, regulatory and general commercial matters. She has experience of advising clients in the fashion, fashion-technology, luxury brands, retail, consumer goods, financial technology and education sectors. Sarah advises both local and international clients.

Trisha Sircar Privacy, Data and Cybersecurity Attorney Katten Muchin Rosenman New York, NY

The value of data as an asset has increased substantially in today's global digital economy. In the high-stakes environment of global intellectual property and technology services, businesses, consumers and individuals need protection. With more than a decade of experience in helping to protect a wide range of businesses — including one of the world's largest insurance companies — Privacy, Data and Cybersecurity partner Trisha Sircar provides practical guidance and creative solutions regarding global privacy and data security risks and compliance issues.

Operating at the...