December 1, 2022

Volume XII, Number 335


December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

Important Updates For Businesses That Transfer Data From Europe: European Commission Adopts New Standard Contractual Clauses

On Friday, June 4, 2021, the European Commission adopted two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to “third countries” (i.e., countries outside the EEA).  We highlight three key points for the cross-border clauses.  

1. What are the timelines for using the new clauses?

Existing transfers: Parties can continue to rely on the old clauses for up to 18 months (until December 24, 2022) as long as the processing operations remain unchanged and the use of the clauses ensures the transfer of personal data is subject to adequate safeguards (e.g., continue to consider post-Schrems II risk assessments and related factors).

New transfers: Parties can use the old clauses for 3 months (until September 24, 2021) for new transfers.  After that, parties will need to use the new clauses.

2. What are the key changes?

According to the European Commission, the new clauses address the following:

  • Updates in line with the General Data Protection Regulation (note the old clauses pre-dated the GDPR)

  • One set of clauses to address multiple transfer scenarios (versus different sets of clauses depending on the transfer); this expands the types of scenarios covered to include processor-to-processor and processor-to-controller transfers in addition to the previously covered controller-to-controller and controller-to-processor transfers

  • Flexibility to add more than two parties to the clauses (to address complex data processing scenarios)

  • A toolbox to comply with Schrems II requirements

3. What should I do next?

Parties using the old clauses should take steps to update their contracts to the new clauses.  The timeframe to complete this task will depend on whether the data transfer activities remain the same or plan to change.  
Some entities that were previously unable to use the clauses now have the option to use them (processor-to-processor and processor-to-controller).  In those cases, the parties can assess if they should enter into the new clauses to facilitate cross-border transfers.
If you make changes to your cross-border data transfer compliance approach, then don’t forget to update your policies and procedures to reflect these changes (such as your website privacy notices or internal process documents). 

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume XI, Number 158

About this Author

Tara Cho CIPP/US CIPP/E Data Security Attorney Womble Bond

Tara focuses her practice on privacy and data security issues across multiple industries such as technology, retail, e-commerce, and life sciences, with an emphasis on compliance risks and regulatory requirements affecting the healthcare sector. Tara became certified as a legal specialist in Privacy and Information Security Law by the North Carolina State Bar Board of Legal Specialization in 2018 as part of the inaugural class of specialists in this field – one of just 10 attorneys in the state to hold this certification.

She helps clients with all aspects of privacy and data...

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Of Counsel

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...

Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude