Pursuant to Article 46(1) lett. c) of the General Data Protection Regulation no. 2016/679 (“GDPR
”), the European Commission (“EC
”) may adopt standard contractual clauses (“SCCs
”) which provide appropriate safeguards for the transfer of personal data to a third country or an international organisation in compliance with the GDPR requirements.
Considering the above, on 4 June 2021, the EC adopted a set of SCCs for the transfer of personal data to third countries
The aforementioned sets of SCCs have been adopted in order to:
- implement new requirements under the GDPR; and
- take into account the Schrems II judgement of the European Court of Justice (“ECJ”), aimed at ensuring a high level of data protection for citizens.
In particular, on 16 July 2020, through the Schrems II judgement, the ECJ confirmed the validity of the EU SCCs for transfers of personal data to a third country or an international organisation, while invalidating the EU-US Privacy Shield. Thus, the ECJ ruled that international data flows under the European Union’s comprehensive data protection regime, can continue to be based on EU SCCs, while also clarifying the conditions under which they can be used.
But let’s proceed with order.
What are the SCCs?
Pursuant to Article 46(1) of the GDPR, “in the absence of an adequacy decision of the European Commission, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available
According to the GDPR, among the measures that represent adequate safeguards and, therefore, can be used as a ground for data transfers from the EU to third countries, SCCs adopted by the EC can be included.
In particular, the SCCs are standardised model data protection clauses, pre-approved by the EC, which can be incorporated into contractual arrangements on a voluntary basis, providing an easy-to-implement tool to comply with data protection requirements.
The new SCCs approved by the EC
As clarified by the EC, the new SCCs, adopted due to the new requirements introduced by the GDPR and taking into account the Schrems II judgement of the ECJ, will replace the three sets of SCCs which were adopted under the previous Data Protection Directive 95/46.
The new SCCs, which have been adopted after having taken into account the joint opinion of the European Data Protection Board (“EDPB
”) and the European Data Protection Supervisor (“EDPS
”), as well as the Member State’s opinion and stakeholders’ feedback received during a broad public consultation, introduce the following main innovations:
- an update in order to align them to the provisions of the GDPR;
- one single entry-point covering a broad range of transfer scenarios (e.g., data transfer (i) from controller to controller; (ii) from controller to processor; (iii) from processor to processor; and (iv) from processor to controller), instead of separate sets of clauses;
- more flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to adhere and use the clauses;
- practical toolbox to comply with the Schrems II judgment (i.e. an overview of the different steps that companies have to take in order to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures’, such as encryption, that companies may implement, if necessary).
Moreover, as clarified by the EC, for controllers and processors which are currently using previous sets of standard contractual clauses, a transitional period of 18 months is provided.
As declared by the EC, the new SCCs will offer more legal predictability to businesses and help small-medium enterprises, in particular throughout the easy-to-implement template, to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.
Moreover, since these SCCs have been issued in a moment in which a large number of regional organisations and third countries are developing or have already adopted their own standard contractual clauses on the basis of converging principles, the EC has committed itself to intensify its cooperation with such international partners in order to further facilitate data transfers between different areas of the world.