Data Protection Update: EU SCCs

June 23, 2021

The data protection world is very excited – the EU has just published a set of new standard contractual clauses (SCCs)! While the data protection world rejoices, you might be wondering, what's all the fuss?

Well, aside from our fanaticism for data protection (it's a lawyer thing...) this new set of standard contractual clauses triggers a few important changes.

Let's discuss...

First things first – what are the EU SCCs?

Under the GDPR, international transfers of personal data from the EU to other countries is prohibited unless appropriate safeguards are put in place.

The EU standard contractual clauses are the most common mechanism for legally transferring personal data from the European Economic Area (that’s the EU plus Iceland, Liechtenstein and Norway, shortened to the EEA) to countries which have not been deemed “adequate” by the EU.

An adequacy decision by the European Commission means that a country’s data protection laws are considered equivalent to the General Data Protection Regulation (GDPR).

Who needs to use the new EU SCCs?

The new EU SCCs must be used for transfers of personal data from someone subject to the General Data Protection Regulation (even if they are not established in the EU) to countries outside the EEA without an adequacy decision. “Transfer” can mean that the personal data is accessed from somewhere, even if it doesn’t physically travel there.

When are SCCs required?

The SCCs can be used for the following data transfers:

  • A controller to another controller
  • A controller to a processor
  • A processor to another processor (e.g. a sub-processor)
  • A processor to the controller who appointed them

A controller is the main decision-maker about how and why the personal data is processed, and a processor does what the controller tells them. If you’re not sure whether you’re a controller or processor, we're on hand to help. Take a look at our blog that breaks down the roles within data protection, or alternatively, feel free to reach out to us!

What is different in the new EU SCCs?

The old EU SCCs were written before the GDPR. Therefore, although it remained a requirement to agree them unamended, they were not entirely compliant with the requirements of the GDPR. The new EU SCCs should now cover the elements required by the General Data Protection Regulation, as well as having been updated in other ways.

The new SCCs are modular, and sometimes give options between clauses – this means that you have to pick (and agree with the other party) the right clauses for the circumstances. While this allows you to have data protection clauses which better suit your needs, the different options currently mean they are more complex to put in place than the previous SCCs. You are therefore more likely to need assistance from a lawyer to get them right. Except for choosing which clauses from the options provided, the SCCs must still be agreed without amendment.

The new SCCs incorporate the need for the parties to have carried out a data transfer impact assessment prior to the transfer. Again, this is something you are likely to need legal assistance with, as it involves understanding the laws of the country you are transferring the personal data to, as well as the data protection risks for the specific transfer. Depending on the destination country, you may need to consider putting additional safeguards in place (the new SCCs give some useful examples). There are also firmer obligations on the party receiving the personal data in relation to attempts by public authorities to access the data.

You will also be required to include a specific list of security measures, and specify which transfer(s) or category of transfer(s) they apply to. Under the old SCCs, it was possible to include a more general statement, but this is expressly not allowed under the new ones. In particular, you need to specify what extra safeguards are in place for dealing with special category data (e.g. health information, racial or ethnic origin, sexual orientation, religious beliefs, political opinions) and criminal offence data.

The original parties to the EU SCCs can allow new parties to sign up to them, rather than having to sign a whole new contract. This should be helpful, but it may affect the apportioning of liability, so be careful!

The need to appoint an EU representative in certain circumstances is baked into the new SCCs too, so if you’ve been avoiding that until now and you’ll need to put SCCs in place, it’s probably time to appoint one.

What about international data transfers from the UK?

As usual, Brexit has complicated everything.

Because the new EU SCCs weren’t published until after the Brexit transition period ended, they cannot be used for transfers from the UK to non-adequate countries.

The ICO has said they intend to publish new UK SCCs sometime in 2021. That means that for now, transfers outside the UK (to non-adequate countries) need to use the old EU SCCs, subject to a few post-Brexit tweaks suggested by the ICO.

Do I need to put the SCCs in place for transfers between the UK and the EU?

Probably not.

The UK has declared the EU adequate, so there is no need to put the UK SCCs in place for transfers from the UK to the EU.

Until the end of June 2021, transfers from the EU to the UK are covered by a temporary adequacy provision in the Brexit withdrawal agreement. We are still waiting for the official adequacy decision from the European Commission, but it currently looks as though this will happen in just in time before the end of June deadline.

If the adequacy decision doesn’t happen before the end of June 2021, there will be a quick scramble to put the EU SCCs in place for transfers from the EU to the UK. There would still not need to be UK SCCs for transfers from the UK to the EU.

When do I need to start using the new EU SCCs in new contracts?

The new EU SCCs enter into force on 27 June 2021. Three months later (on 27 September 2021) the old EU SCCs will be repealed. This means that there is a three-month period where the old EU SCCs can be used in new contracts.

Do I need to replace the SCCs in my existing contracts?

Yes, you do, but in most cases you have a bit of time to do so.

For contracts entered into before 27 September 2021, you will need to replace the old EU SCCs with the new ones by 27 December 2022. However, if you make any changes to the data processing operations covered by the old SCCs before 27 December 2022, you will need to replace the SCCs at that point.

…that is, unless they relate to international transfers from the UK to non-adequate countries, in which case they can stay the same for now, but will likely need replacing after the ICO publishes the new UK SCCs.

Do I still need other data protection terms in my contracts?

Yes – you will still need other data protection terms. For example, you need to deal with personal data being processed within the UK/EEA, and may want to include terms for international data transfers which aren’t dealt with in the SCCs. Just bear in mind that the SCCs will take precedence over your own data protection clauses if they conflict.

We’re the experts in getting data on your good side. Find out more about our data protection offering here.

Receive our insights directly to your inbox by signing up to our newsletter

Recommended content