In June 2021, the European Commission published its decision to adopt new standard contractual clauses (New SCCs). The New SCCs modernise previous standard contractual clauses that were adopted before the introduction of the GDPR (Previous SCCs), introduce flexibility and account for current data transfer practices.
Standard contractual clauses (SCCs) safeguard the transfer of personal data between the European Economic Area (EEA) and third countries which are not considered by the European Commission to provide an adequate level of protection to data subjects by virtue of an adequacy decision (Third Countries).
What are SCCs and when are they required?
SCCs are standardised and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under the GDPR.
SCCs are one of the primary safeguards for transferring personal data to Third Countries pursuant to article 46 of the GDPR. SCCs effectively ensure that the personal data transferred to a Third Country is protected to the same degree as it would be within the EEA.
27 December 2022 deadline
By now, organisations relying upon SCCs to transfer personal data out of the EEA should be using New SCCs for any transfer agreements entered into after 27 September 2021. For organisations that entered into a transfer agreement before 27 September 2021 and used Previous SCCs, they have until 27 December 2022 to switch to the New SCCs.
Previous SCCs will not be regarded as appropriate safeguards under article 46 of the GDPR after 27 December 2022.
In order to avoid the risk of complaints from data subjects, fines or transfer restrictions, organisations should identify transfer agreements that need to be amended, review and update their data transfer impact assessments (TIAs), consider any supplementary measures, if needed, and transition to the New SCCs in advance of the deadline. A TIA is a risk assessment that allows organisations to determine if SCCs provide sufficient protection given the specific circumstances of the transfer. TIAs are undertaken on a case-by-case basis and can be inspected by the relevant supervising authority.
The European Commission recently published questions and answers dealing with common queries on implementing the New SCCs, which can be accessed here.
Hayes’ experienced data protection team is available to assist you and your business to transition to the New SCCs and advise you in relation to TIAs. For more information, contact Laura Fannin or Denise O’Shaughnessy.Back to Full News
Share this article:
About the Authors
Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.
Denise is an associate solicitor in the Commercial and Business team at Hayes solicitors. She advises clients on a variety of commercial and business law matters including drafting, negotiation and review of commercial contracts and advising companies and state bodies in relation to their data protection obligations under the General Data Protection Regulation.