September 27, 2021

Volume XI, Number 270

Advertisement

September 24, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

New EU Standard Contractual Clauses for International Transfers

The European Commission has today published its new Standard Contractual Clauses (“SCCs”) for international transfers of personal data (see here). 

We have pulled out a few key questions and answers to address immediate issues:

  1. What do the new SCCs address?  Rather than addressing just controller to controller, or controller to processor, transfers (which was the case under the old SCCs), the new SCCs are modular and, in addition to these transfers, they also address processor to processor, and processor to controller transfers. This new modular approach much better fits the reality of data transfers, particularly because they can be used by data exporters that are not established in the EEA but who are still subject to GDPR by virtue of their offering good or services to, or monitoring the behavior of, individuals in the EU.

  2. Do the new SCCs address issues raised by Schrems II?  Yes. The new SCCs include provisions to address the concerns regarding international transfers raised in the Schrems II case. Of note, and at odds with guidance previously issued by the European Data Protection Board, the new SCCs appear to take a risk based approach to Schrems II compliance by permitting the parties to consider different elements as part of an overall assessment of risk. These elements include, for example, practical experience with prior instances of requests for disclosure from public authorities.

  3. Do I have to use the new SCCs for new transfers?  New transfers can be undertaken under the old SCCs for the next 3 months. However, it will likely be more practical for new transfers to be undertaken pursuant to the new SCCs.

  4. What about existing transfers?  Do I have to immediately switch to the new SCCs? There is a grace period of 18 months for existing transfers, after which organizations will be required to switch to the new SCCs.

  5. What should I be doing now?  Review and update template DPAs to incorporate the new SCCs, and ensure that any new transfers are undertaken subject to them. With respect to existing transfers, identify existing transfers undertaken pursuant to the old SCCs and identify what type of transfer under the new SCCs is being undertaken (i.e controller to controller, processor to controller). Then, start to amend applicable contracts / DPAs to incorporate the appropriate version of the new SCCs in good time to meet the 18 month implementation deadline.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 155
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Shareholder

Liz is a dual-qualified attorney in Colorado and the United Kingdom who counsels clients on data privacy, advertising and technology licensing matters.  Prior to practicing in the U.S., she practiced law in the U.K. for over 10 years counseling clients on EU privacy and technology matters.

Liz’s practice involves three key areas: privacy, advertising, and technology licensing.  She has significant experience counseling clients on how to comply with their EU privacy obligations, with a particular focus on how to prepare for, respond to, and implement...

303.583.8228
Advertisement
Advertisement
Advertisement