On June 4, 2021, the European Commission adopted two sets of highly anticipated modernized standard contractual clauses (SCCs). The validity of SSCs was put in doubt following the CJEU’s decision in the Schrems II case in July 2020, and the Commission issued its set of draft revised SCCs for public consultation in November. As expected, the Commission has now issued its finalized SCCs for the transfer of personal data to third countries (Third Country SCCs). The Commission also adopted and released its SCCs for use between Controllers and Processors under Article 28 of the GDPR. The two new sets of SCCs are said to align more closely with the GDPR and will “offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.”

New third country SCCs & transparency of processing

The new Third Country SCCs aim to take a pre-approved, standardized approach in order to offer a single point of entry, flexibility, and to ensure that companies are able to meet the data protection requirements of their data transfers. According to the European Commission press release, there will be an 18-month transition period for Controllers and Processors relying on previous sets of SCCs.

The Third Country SCCs issued by the Commission adopt a modular approach to reflect the diversity in modern data transfer scenarios including – controller to controller, controller to processor, processor to processor, and processor to controller. Where applicable, the Third Country SCCs will also regulate the use of sub-processors. Each of the modules contain detailed clauses relating to requirements for:

• Purpose limitation
• Transparency
• Accuracy and data minimization
• Storage limitation
• Security
• Onward transfers

The Commission highlights that parties must declare that they have taken several elements into account, including the laws and practices of the third country destination. Different factors that also need to be considered include the relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative timeframe.

The transparency of processing was also highlighted by the Commission that outlined obligations for data subjects to be provided with a copy of the standard contractual clauses as well as being informed of the categories of personal data processed, the right to obtain a copy of the standard contractual clauses, and any onward transfer.

Vice-President for Values and Transparency, Vera Jourová said: “In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernised Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”

How OneTrust helps

OneTrust assists with an enhanced set of tools, guidance, and templates including pre-built SCC validation templates, third-country assessments, Transfer Impact Assessments (TIAs), and the ability to Document additional controls that may be put in place for GDPR equivalent protection. OneTrust helps to operationalize holistic privacy and security programs through its privacy, security, and data governance platform, ensuring that the proper operational processes, technical controls, and compliance mechanisms have been implemented across the organization.

While discussions are ongoing around a potential Privacy Shield 2.0, the new Third Country SCCs adopted by the European Commission will give organizations some long-awaited clarity around the modernization of this transfer mechanism. However, updating SCCs for third-country transfers and SCCs under Article 28 of the GDPR will be a large administrative burden for organizations. For more information about how OneTrust can help with the new European Commission modernized SCCs visit OneTrust.com to request a demo.

Further reading on the European Commission’s New Standard Contractual Clauses:

• European Commission Press Release: European Commission adopts new tools for safe exchanges of personal data
• OneTrust DataGuidance Insight: EU: Commission adopts new SCCs – Reactions and analysis
• OneTrust DataGuidance News: EU: Commission adopts new SCCs for exchanges of personal data
• OneTrust DataGuidance Resources: EU: Commission’s finalised SCCs – Key Resources
• OneTrust DataGuidance Video: Finalised EU SCCs: What You Need to Know

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on the European Commission’s New Standard Contractual Clauses.