The European Commission (EC) published the final version of the Standard Contractual Clauses (SCCs) on June 4, following the draft proposal on November 12, 2020. The topic is of great interest for companies operating outside the European Economic Area (EEA) or working with companies that are. SCCs should give these companies a hand at being GDPR-compliant.
For those less acquainted with SCCs, these take part in ensuring safer international data transfers. A principle of accountability applies to controllers which export personal data to countries outside of the EEA: controllers must ensure that no matter what mechanism and supplemental measures govern a data transfer, the data must receive the same protection at its destination as it would in the European Union (EU), or else the data transfer will be violating the GDPR.
For international data transfers to be possible, the GDPR requires the adoption of mechanisms/measures that ensure that transfers are carried out safely, which may include obtaining the data subject’s consent, adopting Binding Corporate Rules (BCR), ad hoc contractual clauses, approving codes of conduct or certification mechanisms, and/or SCCs.
SCCs set out appropriate safeguards regarding data transfers from (i) controller to controller, (ii) controller to processor, (iii) processor to processor, and (iv) processor to controller.
The new SCCs include general provisions that are applicable to all transfers of data, regardless of the nature of the parties, and specific provisions that the parties should include if they see fit to their specific situation (again, a principle of accountability applies). General obligations include ensuring that data protection rules in the country of destination do not prevent the processing of personal data according with the standard contractual clauses applied, as well as ensuring the minimization of data disclosure to public authorities, a shared responsibility between the parties in case of a data breach, etc.
The new SCCs also address both onward transfers and subscription by third parties. Onward transfers of personal data can lawfully occur, provided the third party subscribes to the SCCs. Subscription to the SCCs is enabled through a docking clause.
The EC sets out a transitional period, within which companies relying on old SCCs under existing data transfer agreements will be able to rely on those outdated SCCs for 18 months after the publication of the new SCCs. For companies entering into new data transfer agreements, the new SCCs ought to be the mechanism to rely on for the purpose of international data transfers, as the new SCCs will be repealed for future use three months after their publication.