On June 4th, the European Commission (EC) approved the long awaited new Standard Contractual Clauses (SCCs) for transfers of personal data, replacing the former Clauses issued under Directive 95/46/EC. The SCCs arrive over 3 years after the application of Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR). These new Clauses were long anticipated, specially in virtue of the Schrems II judgement of the Court of Justice, and aim to also reflect the requirements associated with this ruling.

The new SCCs

The SCCs are a contractual instrument that sets out the obligations of the parties as well as the technical and organisational measures to be taken when transferring personal data to third countries, so as to ensure that even when data is transferred to a jurisdiction outside the European Economic Area, a level of protection essentially equivalent to that of the European Union (EU) is maintained.

The SCCs adopted in the light of Directive 95/46/EC (Decision 2001/497/EC and Decision 2010/87/EU) are now replaced by the following Clauses:

What has changed with the new SCCs?

The new Clauses have not only been updated with respect to their predecessors. They have also been adapted to reflect the current context of transfers of personal data to third countries, where other legal basis for the transfer (namely, adequacy decisions) are not applicable. The EC has sought to make the new SCCs more predictable in their application and to simplify the free flow of data across EU borders.

In summary, the new SCCs bring the following innovations:

GDPR Alignment This results in a higher level of protection and greater legal certainty when transferring data to third countries.

Broader Scope of Application
The former Clauses, between Data Controller (Exporter) and Data Controller (Importer) and between Data Controller (Exporter) and a processor (Importer) established in third countries, are now replaced by a single set of Clauses for the transfer of personal data to third countries.This has addressed the legal uncertainty that existed up until now, as the previous SCCs addressed a limited set of relationships in the chain of processing of personal data.

The new Clauses regulate a wider set of operations which may occur during transfers of personal data, without the need for different sets of Clauses. The Clauses now foresee relations between Controller – Controller; Controller – Processor; Processor – Processor (an important gap which is now closed); and Processor – Controller (where the Processor is based in the EU and processes personal data from a third country together with personal data collected in the EU).

Greater Flexibility in the Number of Parties
A new clause is approved, the Docking clause. The clause is optional but offers the possibility for new subjects to accede to the clauses already entered into by the Parties.The acceding of the new Party is subject to the agreement between the Parties of the already signed Clauses, and the associated rights and obligations will only apply from the date of their acceding.

Proactive Accountability
In alignment with the accountability principle set out in the GDPR, the Parties shall actively demonstrate their compliance with the terms and content of the Clauses. In particular, the data importer shall keep appropriate documentation of the processing operations carried out on behalf of the controller, which is necessary to demonstrate compliance with the Clauses.

Relation to the Schrems II judgment

Although this is an essential instrument to carry out transfers of data to third countries, the conclusion of the SCCs does not in itself validate such operations. In order to ensure that the transfers are compliant, the Parties must also comply with the requirements of the Schrems II Judgment and the European Data Protection Board’s (EDPB) Guidelines.

Thus, the new SCCs foresee an additional step prior to their conclusion: a prior assessment to ensure that the third country’s legislation protects the rights and freedoms of data subjects and that compliance with the obligations set out therein does not go beyond what is necessary and proportionate in a democratic society.

This prior assessment aims, namely, to identify legal obligations and other elements (e.g. of a political nature) associated to the third country’s environment which are relevant to the transfer of data and that may limit the effectiveness of the measures and safeguards present in SCCs. Requests for disclosure of data by public authorities or authorising access by these authorities should be identified from the very beginning.

Therefore, it is essential that entities seeking to perform transfers to third countries conduct and document this prior assessment, identify possible vulnerabilities of the destination third country and adopt, if necessary, additional measures to mitigate the identified risks. This assessment should be documented by the Parties and, whenever requested, made available to the appropriate supervisory authority.

More from VdA