A brief guide to the Replacement Standard Contractual Clauses issued by the European Commission in 2021.
What are SCCs?
Under GDPR, transfers of personal data to third countries are prohibited. However where appropriate safeguards are in place to protect the data, these transfers are allowed.
Third countries are countries that are not in the EEA, and that do not have an ‘adequacy decision’ in their favour from the European Commission.
An adequacy decision is only made to countries whose data protection laws protect personal data in an equivalent manner to the GDPR.
Note that the UK received its adequacy decision from the EC in June 2021, so that countries in the EU can now safely transfer data to us without it having to have SCCs in place with us.
The SCCs are the most common method of safeguarding when it comes to transfers to third countries.
SCCs are a standard set of terms that are provided by the European Commission to use for such transfers. Apart from where minor tweaks are needed, you must not make any changes to the SCCs, unless it is to add protections or more clauses on business related issues. You can add parties (i.e. additional data importers or exporters) provided they are also bound by the SCCs.
2. Replacement Standard Contractual Clauses
BRIEF INTRODUCTION TO SCCs
• GDPR restricts the transfer of personal data to ‘third
countries’, save where appropriate “safeguards” in place.
• Standard Contractual Clauses (“SCCs”) are one safeguard – a
standard set of contractual terms put together by the
European Commission.
• Can be used to transfer data to a ‘third country’, being a
country that does not have an “adequacy decision” by the
European Commission.
3. Replacement Standard Contractual Clauses
NEW “REPLACEMENT” SCCs
• European Commission published Implementing Decision
adopting new Standard Contractual Clauses (“New SCCs”)
on 4th June 2021
• Clauses can be used from 27th June 2021 (the “effective
date”)
4. Replacement Standard Contractual Clauses
NEW SCCs
• New SCCs address 3 key points:
– Allow parties to meet international data transfer obligations under
the General Data Protection Regulation (“GDPR”)
– Consistent with Schrems II judgement
– Address known deficiencies in current standard contractual clauses
5. Replacement Standard Contractual Clauses
NEW SCCs
• Old SCCs were only:
– Controller to processor
– Processor to controller
New ones cover:
From a controller to another controller (C2C)
From a controller to a processor (C2P)
From a processor to a processor (P2P)
From a processor to its appointing controller (P2C)
– Consistent with Schrems II judgement
– Address known deficiencies in current standard contractual clauses
6. Replacement Standard Contractual Clauses
TRANSITION PERIOD
• What does this mean in practice?
– Organisations can start using the new SCCs immediately
– Data exporters and importers can still use the old SCCs for two
more months, to 27 September 2021.
– After 27th September 2021, no new contracts can be signed using the
old SCCs
– Data exporters and importers have 18 months from 27 June 2021
(until 27.12.22) to replace contracts using the old SCCs with
contracts using the new
7. Replacement Standard Contractual Clauses
WHEN ARE NEW SCCS USED?
– When the data exporter is subject to GDPR and not in EU
e.g. processing data of EU citizens from Panama
OR
– When the data importer is not subject to GDPR
e.g. French exporter sending data to Panama
8. Replacement Standard Contractual Clauses
STRUCTURE OF NEW CLAUSES
• New SCCs cover transfers from:
– Controller to another controller (C2C)
– Controller to a processor (C2P)
– Processor to a processor (P2P)
– Processor to its appointing controller (P2C)
• Docking clauses
9. Replacement Standard Contractual Clauses
STRUCTURE OF NEW CLAUSES
• “Docking Clause”:
– allows new parties to accede to new clauses in case of
changes over time
– Useful for intra-group data transfers (e.g. if new
subsidiary is set up that needs to ‘sign up’ to the intra-
group arrangements with an overseas parent company).
10. Replacement Standard Contractual Clauses
STRUCTURE OF NEW CLAUSES
New SCCs are drafted to take into account the decision in
Schrems II:
• restate clauses from old SCCs that were considered
positively by the ECJ, e.g.: obligations on
• data exporter to consider “level of protection of
personal data in third country” (EDPB Report,
Annexe 3)
• data importer to notify exporter of its inability to
comply with SCCs (if that be the case), and
• exporter to suspend data transfers or terminate
agreement as a result
SCCs incorporate clauses to bring them in line with the
Schrems judgement such as the new requirement for data
transfer impact assessments (DTIAs)
11. Replacement Standard Contractual Clauses
DATA TRANSFER IMPACT ASSESSMENT
• Transfer impact assessment is a risk assessment.
The new SCCs set out the factors that data exporters need
to consider in a transfer impact assessment:
• Facts of transfer
• Local laws of the importer
• Relevant technical, contractual or organisational
safeguards which may be needed
12. Replacement Standard Contractual Clauses
DATA TRANSFER IMPACT ASSESSMENT
Once risk assessment undertaken, EXPORTER must:
– Keep record of the risk assessment
– provide copy to authority if requested
– take appropriate action (e.g. suspend or terminate
processing) if DTIA evidences non-compliance
– maintain measures that allow the parties quickly to
suspend/terminate their agreement if either unable
to comply at any point
13. Replacement Standard Contractual Clauses
DATA TRANSFER IMPACT ASSESSMENT
• Further obligations on data importers in respect of public
authorities. The data importer must:
– notify the data exporter when local laws change
– notify data exporter and data subjects that importer has received a
request by a public authority to access personal data
– assess the legality of such order/request and challenge the order if
considered illegal
– (where possible) seek interim measures to suspend disclosure
– Disclose the minimum amount of personal data reasonably possible
– Document requests and steps taken in response
– supply information and a transparency report to data exporter
14. Replacement Standard Contractual Clauses
UK COMPATABILITY
• Future Transfers
– New SCCs do not presently cover transfers of personal
data from UK
– Old SCCs can still be used for restricted transfers from
UK until the ICO has come up with something suitable
ICO has created UK versions of old SCCs:
Controller to controller
Controller to processor
– UK would need to approve the new SCCs for them to be
valid in the UK.
15. Replacement Standard Contractual Clauses
UK COMPATABILITY
• Existing Transfers
– Old SCCs can still be used for restricted transfers from UK,
and can be used after transition period (27.9.21)
– After Schrems II, need to assess if there is ‘essentially
equivalent’ protection in place in importer’s country
If old SCCs do not provide sufficient protection, take additional
measures
– European Commission now approved the UK as having
adequacy => no SCCs required for transferring data to UK
16. Replacement Standard Contractual Clauses
FUTURE OF SCCS
• ICO intends to consult on and publish UK specific SCCs
during 2021.
• ICO and Secretary of State to monitor SCC transitional
arrangements.
• Old SCCs may cease at some point to be valid for new
and/or existing restricted transfers from the UK.
17. Replacement Standard Contractual Clauses
Thank you for listening!
ICO’s UK versions of old SCCs:
Controller to controller
Controller to processor
EDPB’s Recommendations 01/2020 on measures that supplement transfer
tools to ensure compliance with the EU level of protection of personal
data: here
Waterfront’s Data Transfer Impact Assessment template: here
DTIA Advice Note: here