On June 4, 2021, the European Commission adopted new standard contractual clauses (SCC) for the transfer of personal data in countries without equivalent data protection clauses taking into consideration the feedback received during the public consultation and the EDPB - EDPS Joint Opinion. Anyone concerned will have 18 months to introduce this new contract template, including the documentation of adequate measures.
These highly anticipated, updated SCCs are intended to ensure lawful transfers of personal data to third countries (non-EU/EEA). An adjustment of the clauses had become necessary due to the entry into force of the GDPR and the Schrems II ruling of the European Court of Justice passed last July.
The new contractual clauses are supposed to better implement the regulatory requirements and the issues raised by the ECJ in its judgment. In the following, we highlight some of the amendments that were made and explain what this could mean for businesses.
The new SCCs have been adapted to the more complex data transfers that take place in the modern world. However, the contract is much more than just a document to be signed. Special focus will be on the documentation of the special security measures to be adopted when transferring data into countries where governmental seizure of the data is a topic, like the USA. The new clauses unfortunately are not the "holy grail" businesses were hoping for. The due diligence effort still required by the concerned parties should not be underestimated.
Companies should now check what personal data they transfer to third countries on the basis of ("old") standard contractual clauses and assess what changes need to be made to replace the old clauses with the new SCCs.
Then it will be a matter of converting the new contract modules into templates that are suitable for everyday business (including the Transfer Impact Assessment). All in all, the effort for handling 3rd country transfers and documentation will remain high. The new SCCs are more than just ticking the box and simply concluding new SCCs alone will NOT be sufficient to comply with the Schrems II requirements. As mentioned above, the documentation of the security measures will play an important role.
These terms will not only be applicable for anyone processing personal data originating from the European Union. Since Switzerland adopted these terms in the past as equivalent, anyone processing "just" Swiss data abroad will also be impacted.