New Standard Contractual Clauses for Cross-Border Transfer of EU Personal Data Released

On June 4, 2021, the European Commission released the final version of its implementing decision adopting new standard contractual clauses (“SCCs”) for use in connection with the transfer of personal data from the European Economic Area (“EEA”) to third parties outside the EEA. The new SCCs are a culmination of efforts to update the SCCs to take into account the requirements of the GDPR and the July 2020 decision in Schrems II by the Court of Justice of the European Union (“CJEU”). In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield and held that SCCs could continue to be used for international data transfers, subject to parties ensuring that transferred data is afforded an adequate level of protection, which may require evaluation and adoption of additional safeguards over and above those provided by the SCCs. The new SCCs became effective June 27, 2021.

Highlights of New SCCs

  • Modular Terms: The new SCCs take a modular approach that covers a broad range of transfer scenarios. The new SCCs may be used for (1) controller-to-controller transfers, (2) controller-to-processor transfers, (3) processor-to-processor transfers, and (4) processor-to-controller transfers.
  • Schrems II Terms: The new SCCs require parties to evaluate each transfer and document that an adequate level of protection is afforded to transferred personal data. Specifically, the SCCs require parties to assess (1) the details of the transfer, including the length of the processing chain, transmission channels, types of personal data, and purpose of processing, (2) the laws and practices of the destination country, including those requiring the disclosure of data to public authorities or authorizing access by public authorities, and (3) any relevant contractual, technical, or organizational safeguards to supplement the safeguards in the SCCs.
  • Onward Transfers: The new SCCs prohibit onward transfers to additional recipients in third countries unless the onward transfer recipient agrees to be bound by the SCCs, or another specified exemption applies.
  • Use of Sub-Processors: The new SCCs include form provisions for granting specific or general authorization for processors to engage sub-processors in the context of controller-to-processor and processor-to-processor transfers. Since the enactment of the GDPR in 2018, many companies operating as processors have developed form language for use in data processing agreements that are required between controllers and processors under Article 28 of the GDPR to account for such authorization. Commonly, these provisions account for specific operational limitations and efficiencies.
  • Annexes: The new SCCs include three annexes that must be completed. Annex I includes a list of the parties to the SCCs, a description of the personal data transfers, and the identity of the competent supervisory authority for each party to the SCCs. Annex II should describe the technical and organizational measures used to ensure an appropriate level of protection for the personal data. Annex III should list sub-processors used by the processor if the processor has received limited specific authorization to engage sub-processors. Annex III does not apply in the case of general authorization.
  • Docking Clause: The new SCCs allow for new parties (either as a data exporter or importer) to be added to already executed SCCs rather than requiring the SCCs to be re-executed.
  • Other Clauses: The SCCs include a number of other general clauses that apply regardless of the type of transfer and role of the parties, including clauses relating to the redress mechanism available to data subjects, liability of the parties in the event of a breach of the SCCs, termination, choice of law, and jurisdiction.

The full article in its original form can be found here.

Sharon R. Klein (LAW ’78), is a partner in the corporate division and Chair of the Privacy, Security, and Data Protection Practice at Blank Rome. She specializes in assessing and mitigating risks related to the privacy and security of personal data, ownership, and commercialization of data artificial intelligence.

Jennifer J. Daniels is a partner in the corporate division at Blank Rome, where she provides counsel on regulatory and general corporate law matters.

Alex C. Nisenbaum is a partner in the corporate division at Blank Rome, where he advises clients on data privacy and information security laws and regulations.

Karen H. Shin is an associate in the corporate division at Blank Rome, where she focuses her practice on a diverse range of data privacy and information security matters.

Leave a Comment