The European Commission has published new standard contractual clauses for international personal data transfers
Transfers of personal data (or personal information) from the European Union (“EU”) to countries that are not members of the European Economic Erea (“EEA”), i.e. EU plus Norway, Iceland and Liechtenstein may in principle take place only, when there is an adequate level of protection to the fundamental rights of individuals (data subjects) for protection. Adequacy assessments may be carried out by those who are wishing to transfer data out the EAA themselves, or by the European Commission (“Commission”). The Commission has determined several countries that ensure an adequate level of protection by reasons of their domestic law or the international commitments they have entered into.
Also in the absence of an adequacy decision personal data may still be transferred from the EU to a non-EEA country. However, in the latter case the organization wishing to transfer data outside the EEA must provide adequate safeguards to the rights of the data subjects. One of those is the adopting of the Commission’s Standard Contractual Clauses (“SCCs”).
On June 4, 2021 the Commission issued modernized SCCs under the GDPR for data transfers from controllers to processors in the EU/EEA to controllers or processors outside the EU/EEA (and not subject to GDPR). The new SCCs according to the Commission shall reflect the requirements under the GDPR and also taking to account the Schrems II judgement of the Court of Justice, ensuring a high level of data protection for citizens.
Accordingly, these new tools shall offer more legal predictability to European businesses and help in particular SMEs to ensure compliance with the requirements for safe data transfers while allowing data to move freely across borders, without legal barriers.
However, it is not sufficient to simply sign the SCCs and hand them over to the contract management department. The new SCCs are to be embedded carefully in the framework of data flow. We are happy to helping with their proper implementation.
For controllers and processes that are currently using previous sets of SCCs a transition period of 18 months is provided. It should not be forgotten that this transition period does not mean that the provisions of the GDPR do not already have to be taken into account in international data traffic.
Thomas Hertl
Head of Technology & Media at ASD