New SCCs published for international data transfers under the GDPR

On Friday, June 4, 2021, the European Commission published the highly anticipated new standard contractual clauses (SCCs). This is the first revision since 2010. SCCs have been the preferred mechanism governing personal data transfers for many organizations since the General Data Protection Regulation (GDPR) became enforceable in 2018, and even more organizations have since turned to SCCs following last summer’s invalidation of the Privacy Shield framework as a valid transfer mechanism.

As the privacy community took the weekend to digest the new clauses, here are a few of the insights:

First and foremost, there is a transition period

• The prior SCCs are expected to be formally repealed in three months (September 2021) at which point any new contracts must use the new clauses. All existing contracts need to be transitioned, but with a total timeline of 18 months, bringing the timeline to the end of 2022. Relying upon existing data processing agreements (DPAs) will not be sufficient for GDPR compliance.

There are new modules depending on the type of relationship between the two entities

• The new SCCs combine general clauses with a modular approach that addresses more data transfer scenarios than the prior SCCs. For U.S.-based companies supporting European customers, the most common modules will be numbers two and four, depending on whether the controller or the processor initiates the clauses. Additionally, there is an included docking clause to allow for increased flexibility where new parties may join the processing chain after the initial contract execution. Evaluation of the transfer relationship and implementing clauses with the appropriate modules will be necessary for GDPR compliance.

New clauses

• As a result of the Schrems II decision, Clauses 14 and 15 have been added. They require the performance of a data transfer assessment and notification to the data exporter that a request from a public authority for access to the data has been received, respectively. Simply signing new DPAs by themselves will not be sufficient. To comply with GDPR they must be accompanied by a data transfer assessment.