Press articles

Privacy – New Standard Contractual Clauses (SCC)

Posted the 9 December 2021
Previous Next
Our latest DEL-Law newsletter (in French, Dutch, and English) covers the entry into force on September 27, 2021, of Commission Implementing Decision (EU) 2021/914 of June 4, 2021. This decision, adopted in the wake of the Schrems II ruling by the CJEU, introduces new Standard Contractual Clauses (SCC) in accordance with the GDPR (Regulation (EU) 2016/679). We assist you with the implementation of these much stricter clauses.

On September 27, 2021, Commission Implementing Decision (EU) 2021/914 of June 4, 2021, comes into effect. This decision, adopted in the wake of the Schrems II ruling by the CJEU, introduces new standard contractual clauses (SCC) in accordance with the GDPR (Regulation (EU) 2016/679).

From this date, the new SCC must be used to provide appropriate safeguards for data protection under Article 46(1) of the GDPR for international data transfers to countries that do not offer an "adequate" level of personal data protection, replacing the old SCC from 2001, 2004, and 2010 based on Directive 95/46. This applies unless another mechanism or exception is relied upon. Contracts signed before September 27, 2021, using the old SCC remain valid until December 27, 2022.

As a reminder, the new SCC must be applied in accordance with Recommendation 2020/01 issued on November 11, 2020, by the European Data Protection Board (EDPB) on supplementary measures to ensure compliance with the level of data protection within the Union.

The new SCC adopt a modular, non-negotiable approach with four scenarios and include additional requirements to ensure adequacy. These include obligations for parties to perform additional transparency and notification checks regarding governmental access requests, and to assess and document the legislation of the third country to confirm that it does not prevent the importer from complying with the SCC's conditions, considering the factual circumstances of the transfer and any additional safeguards in place. Parties must specifically ensure that they have no reason to believe that the laws and practices in the destination country prevent the importer from meeting its obligations under the new SCC. If a legislative change undermines adequacy, the data exporter must suspend the transfer and may terminate the contract.

It is also worth noting the expanded scope, the multi-party docking system, the direct rights granted to data subjects, the replacement of data processing agreements, and the liability provisions established by the SCC.

The new SCC do not apply to UK non-EU transfers.

The DEL-Law team is ready to support you in meeting these stringent requirements.

Related articles