New standard contractual clauses for data transfers to third countries

• Changes necessary for almost all companies
• Previous standard contractual clauses may only be used to a limited extent (transition period until the end of 2022)
• Urgent need for action for new contracts/contract amendments with third-country transfers

Standard contractual clauses (SCCs) are the most commonly used instrument to legitimise an international data transfer to third countries. The contractual sets developed by the EU provide guarantees for data transfers when agreed between the parties involved in the data transfer. Since the EU-US Privacy Shield can no longer be used due to the so-called Schrems II ruling of the European Court of Justice, SCCs are also the primary basis of legitimacy for data transfers to the USA.

The previous SCCs will be repealed, so that after the expiry of a transition period, the contractual partners must agree on the new SCCs for international data transfers (e.g. to a cloud service provider with servers in the USA).

Previously, the EU Commission had provided three different sets of SCCs. The new SCCs are not just an update, but are systematically structured as a single modular set of clauses.
The most important changes are:

• Modular structure: Regulation of different transmission situations (controller → controller, controller → processor and new: processor → processor, processor → controller), increased adaptation effort in the selection and composition of modules
• Flexibility in the number of contracting parties: Reduction of the formal effort for data transmissions in a group of companies
• Integrated provisions for data processing
• Explicit further obligations of the parties, including risk assessment of data transfer to be documented
• Assistance in implementing the requirements from the Schrems II ruling of the European Court of Justice, but no exemption from the obligation to implement additional security measures in individual cases.

For a transition period until 27 December 2022, the previous SCCs already agreed can remain in place if no contract amendments are made. In the case of contract amendments and new contracts, the previous SCCs must be replaced by the new SCCs from 27 September 2021 onwards. At the end of the transition period, all agreed SCCs must have been converted to the new versions. After that, data transfers outside the EU/EEA based on the old SCCs are no longer permitted. A data transfer outside the EU/EEA without a sufficient basis of legitimacy may then constitute a data protection violation, which may result in prohibitions of data processing or even fines.

Companies do not have to adapt their data protection agreements in a rush, but the effort required to make the changes should not be underestimated. Especially in larger companies or groups of companies, the replacement of existing SCCs should be started immediately in order to meet the implementation deadline.

Recommended course of action:

• Identify international data transfers based on previous SCCs
• Compile SCC sets for the different constellations
• Prepare risk assessment: Identify risk-reducing and risk-increasing assessment factors using the new SCCs (Self Assessment Checklist)
• Carry out and document risk assessment for each individual data transfer
• If necessary, define additional technical and organisational measures, obligations and safeguards
• Contact contractual parties to replace old SCCs and initiate agreed contract change process, if applicable
• Check compliance with the agreed measures by the contractual partners

The decision was published in the EU Official Journal on 7 June and will enter into force on 27 June 2021. With effect from 27 September 2021, the previous SCCs will be repealed. With regard to contracts  concluded or to be concluded before 27 September 2021 on the basis of the previous SCCs, they are deemed to provide appropriate safeguards within the meaning of Article 46(1) of the GDPR for a further 15-month transition period until 27 December 2022. This assumes, however, that the processing operations covered by the contract remain unchanged and that the implementation of the SCCs complies with the requirements outlined above.

The following chart shows the timeline for the transition phase: