Insights European Commission adopts two sets of new Standard Contractual Clauses (SCCs)

The Commission has adopted two sets of SCCs: (i) for use between controllers and processors; and (ii) for the transfer of personal data to third countries.

The Commission says that the new SCCs reflect new requirements under the General Data Protection Regulation (2016/670/EU) (GDPR) and take into account “Schrems II”, ensuring a high level of data protection for citizens. They also take into account the joint Opinion of the European Data Protection Board and the European Data Protection Supervisor, feedback from stakeholders during the public consultation, and the opinion of Member States’ representatives.

The Commission said that the SCCs provide businesses with “an easy-to-implement template” that gives comfort on compliance with data protection requirements.

Key points of the SCCs include:

  • they have been updated in line with the GDPR;
  • they provide one single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
  • they provide more flexibility for complex processing chains through a “modular approach” and by offering the opportunity for more than two parties to join and use the clauses; and
  • they represent a practical way of complying with Schrems II by offering an overview of the different steps companies have to take to comply with Schrems II, as well as examples of possible supplementary measures, such as encryption, that companies can take if necessary.

There is a transition grace period for controllers and processors that are currently using previous sets of SCCs. To read the Commission’s press release in full and for links to the new SCCs, click here.