Privacy – New SCC’s
Posted the 27 September 2021On 27 September 2021, the Commission implementing decision (EU) 2021/914 of 4 June 2021 adopted in the
aftermath of the Schrems II ruling of the ECJ and setting out new standard contractual clauses (SCC’s) pursuant to
the GDPR (Regulation (EU) 2016/679, enters into force. Following, as from 27 September 2021, the new set of SCC’s
has to be used to ensure appropriate data protection safeguards within the meaning of Article 46(1) of the GDPR for
international data transfers to countries that do not provide an “adequate” level of protection for personal data
instead of the former SCC’s of 2001, 2004 and 2010 based on the Directive 95/46. Obviously when one does not rely
on other mechanism or an exception for the transfer. Contracts concluded before 27 September 2021 using the
former SCC’s shall however remain valid until 27 December 2022.
By way of remainder, the new SCC’s have to be applied in line with the Recommendations 2020/01 issued on 11
November 2020 by the European Data Protection Board on measures that supplement transfer tools to ensure
compliance with the EU level of protection of personal data.
The new SCC’s that entails a modular non-negotiable 4 sets approach provides additional requirements to ensure
adequacy including the obligation for the parties to apply additional transparency and notification controls covering
government access requests, and to carry out and document an assessment of the laws of the third country to
confirm said laws do not prevent the importer’s compliance with the terms in the SCCs, taking into account with
the factual circumstances of the transfer and any additional safeguards adopted. In particular the parties have to
warrant that they have no reason to believe that the laws and practices in the country of destination prevent the
importer from complying with its obligations under the new SCCs. If a change in law no longer guarantees adequacy,
the data exporter has to suspend the transfer and may terminate the contract.
Also to note the extended scope of application, the multi-parties docking system, the direct rights granted to data
subjects, the replacement of data processing agreements or the liability system set up by the SCC’s.
The new SCC’s do not apply to the UK non-EU transfers.
DEL-Law’s team stand ready to assist you with this rather stringent requirements.