• DE
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

New standard contractual clauses for personal data transfers

08 June 2021
The European Commission has adopted two sets of standard contractual clauses: one set for use between controllers and processors and the other for international transfers of personal data.  Here is our overview of the key points.

On 4 June the European Commission adopted two new sets of standard contractual clauses (SCCs, sometimes referred to as "model clauses"):

  • A new set of clauses for use between a controller and a processor (C2P clauses); and
  • An updated set of clauses for the transfer of personal data to a third country, i.e. a country outside the EEA which does not have an adequacy decision (international transfer clauses).

The international transfer clauses have been updated to reflect the GDPR and the CJEU's decision in the Schrems II case.  These come into force 20 days from today (7 June), the date of publication in the EU Official Journal.  The key points to note are:

  • In relation to the international transfer clauses, there is a transition period of 18 months (until 27 December 2022) for existing contracts which use the previous version, provided that the processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
  • For new contracts which involve the international transfer of personal data, there is a transition period of 3 months, so organisations can continue to enter into contracts using the previous version until 26 September 2021.
  • Instead of separate sets of clauses for different processing relationships, the international transfer clauses take a modular approach, covering controller-controller (C2C), controller-processor (C2P), processor-sub-processor (P2P) and processor-controller (P2C) transfers with interchangeable wording.  This approach provides more flexibility for complex processing chains and fills in the well-known gaps in data transfer protection.  
  • The new clauses permit more than two parties to sign up to them, including during the life of the contract. This is a very welcome development, which addresses a large gap in the previous version.
  • Both versions of the clauses (Annex III of the C2P clauses and Annex II of the international transfer clauses) provide a practical toolbox to help organisations to comply with the Schrems II judgment:
  • an overview of the different steps necessary to comply with the Schrems II ruling; and
  • examples of possible ‘supplementary measures' (referred to as technical and organisational measures), such as encryption, that companies may take if necessary to ensure the security of the data.  
  • Businesses must complete this annex with specific, not generic, information.
  • The C2P clauses are optional.
  • Clause 10 of the C2P clauses permits the controller to terminate for the processor's non-compliance.
  • Clause 9 of the C2P clauses imposes different responsibilities on controllers and processors for dealing with data breaches.

The UK position 

Considering the position for UK organisations, as we reported in the May 2021 issue of DWF Data Protection Insights, the UK Information Commissioner's Office (ICO) has stated that it is:

  • working on bespoke UK SCCs for international data transfers, which will be published in draft for consultation in the summer; and 
  • considering recognising transfer tools from other countries, such as the EU SCCs.

In the light of these statements and the transition periods referred to above, we recommend that UK organisations should where appropriate consider waiting for further announcements from the ICO before taking any action.  

Actions to take now 

If you have not already done so, you should prepare your organisation by:

  • mapping all your processing relationships, including C2C, C2P, P2P and P2C; 
  • identifying all international transfers using the previous SCCs;
  • identifying any transfers to the USA on the basis of the Privacy Shield, which was invalidated by the Schrems II decision;
  • prioritising these for updating according to their risk level; and
  • collating the details of all relevant technical and organisational measures which you will need to complete the annexes to the new SCCs.

You will then be ready to update your contracts in a timely manner (for UK organisations, once the ICO has clarified its position).  If you would like any advice on how to map and prioritise your transfers, please contact one of our data protection specialists.

Further Reading

We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will be set when you accept.

For more detailed information about the cookies we use, see our Cookies page.

Manage your cookies

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will be set when you accept.

For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

(Required)

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

These cookies are required

Tracking cookies

Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

They may also be used to personalise your experience on our website by remembering your preferences and settings.

Marketing

Diese Cookies werden verwendet, um Ihre Erfahrung auf unserer Website zu verbessern und zu personalisieren. Sie können verwendet werden, um Ihre Anzeigen unserer Produkte zu zeigen, oder um die Leistung unserer Anzeigen zu messen.