Blog

European commission adopts new Standard Contractual Clauses (SCCs)

June 4, 2021

N/A

On June 4, 2021, the European Commission adopted two sets of highly anticipated modernized standard contractual clauses (SCCs). The validity of SSCs was put in doubt following the CJEU’s decision in the Schrems II case in July 2020, and the Commission issued its set of draft revised SCCs for public consultation in November. As expected, the Commission has now issued its finalized SCCs for the transfer of personal data to third countries (Third Country SCCs). The Commission also adopted and released its SCCs for use between Controllers and Processors under Article 28 of the GDPR. The two new sets of SCCs are said to align more closely with the GDPR and will “offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.”

New third country SCCs & transparency of processing

The new Third Country SCCs aim to take a pre-approved, standardized approach in order to offer a single point of entry, flexibility, and to ensure that companies are able to meet the data protection requirements of their data transfers. According to the European Commission press release, there will be an 18-month transition period for Controllers and Processors relying on previous sets of SCCs.

The Third Country SCCs issued by the Commission adopt a modular approach to reflect the diversity in modern data transfer scenarios including – controller to controller, controller to processor, processor to processor, and processor to controller. Where applicable, the Third Country SCCs will also regulate the use of sub-processors. Each of the modules contain detailed clauses relating to requirements for:

  • Purpose limitation
  • Transparency
  • Accuracy and data minimization
  • Storage limitation
  • Security
  • Onward transfers

The Commission highlights that parties must declare that they have taken several elements into account, including the laws and practices of the third country destination. Different factors that also need to be considered include the relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative timeframe.

The transparency of processing was also highlighted by the Commission that outlined obligations for data subjects to be provided with a copy of the standard contractual clauses as well as being informed of the categories of personal data processed, the right to obtain a copy of the standard contractual clauses, and any onward transfer.

Vice-President for Values and Transparency, Vera Jourová said: “In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernised Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”

How OneTrust helps

OneTrust assists with an enhanced set of tools, guidance, and templates including pre-built SCC validation templates, third-country assessments, Transfer Impact Assessments (TIAs), and the ability to Document additional controls that may be put in place for GDPR equivalent protection. OneTrust helps to operationalize holistic privacy and security programs through its privacy, security, and data governance platform, ensuring that the proper operational processes, technical controls, and compliance mechanisms have been implemented across the organization.

While discussions are ongoing around a potential Privacy Shield 2.0, the new Third Country SCCs adopted by the European Commission will give organizations some long-awaited clarity around the modernization of this transfer mechanism. However, updating SCCs for third-country transfers and SCCs under Article 28 of the GDPR will be a large administrative burden for organizations. For more information about how OneTrust can help with the new European Commission modernized SCCs visit OneTrust.com to request a demo.

Further reading on the European Commission’s New Standard Contractual Clauses:

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on the European Commission’s New Standard Contractual Clauses.


You may also like

Webinar

Privacy Management

Managing data transfers

Register for this free webinar to learn how to effectively manage international data transfers in the wake of Schrems II.

July 18, 2023

Learn more

Webinar

Privacy Management

Managing data transfers

Register for this free webinar to learn how to effectively manage international data transfers in the wake of Schrems II.

July 18, 2023

Learn more

Webinar

Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more

Webinar

Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more

Webinar

Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more

Webinar

Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more

Webinar

Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more

Webinar

Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more

Webinar

Consent & Preferences

Consent-driven advertising: What to know about Google's new CMP requirements

Join us for this expert webinar as we delve into Google's new CMP requirements for ads and best practices for permission-based advertising.

June 27, 2023

Learn more

Webinar

Consent & Preferences

Consent-driven advertising: What to know about Google's new CMP requirements

Join us for this expert webinar as we delve into Google's new CMP requirements for ads and best practices for permission-based advertising.

June 27, 2023

Learn more