English

How can we assist you?

    News

    New Standard Clauses for international data transfers: what you need to do

  • EN
    • 16 June 2021

    Last update: 16 June 2021

    Following the GDPR becoming applicable in May 2018 and the Court of Justice of the EU's ruling in Schrems II in July 2020, the long awaited new Standard Contractual Clauses (New SCCs) have finally been published. These New SCCs will come into effect on 27 June 2021.

    The prior SCCs were designed before the GDPR saw the light and, although they were upheld in the Schrems II case, the prior SCCs lacked in reliability and practicability. The New SCCs allow for more types of transfers of personal data using a modular approach, instead of the more rigid and limited scope of the prior SCCs.

    What happened?

    The European Commission published two sets of New SCCs, which will apply as of 27 June 2021:

    • Data transfer mechanism for transfers to third countries: The first set deals with transfers of personal data outside the European Economic Area (EEA) to recipients in countries without an adequate level of data protection (adequacy decision of the Commission). This set replaces the current SCCs. The set should enable the transfer of personal data to recipients in third countries by providing sufficient contractual safeguards for the protection of personal data.
    •  Data processing agreement: The second set is designed to meet the requirements of article 28 GDPR (data processing agreements with processors). It can be used when a controller engages a processor, regardless of whether a transfer of personal data takes place outside the EEA.

    Our focus in this newsletter is on the first set, thus for data transfers to third countries. It will be mandatory to transition to these New SCCs, in absence of other instruments to legitimize data transfers to third countries. 

    What are the main changes for the first set of New SCCs?

    Adequacy and supplementary measures assessments. In view of the Schrems II ruling, the New SCCs provide a new section in comparison to the prior SCCs, dealing with ensuring local laws of the importing third country do not prevent the data importer from fulfilling the requirements of the New SCCs and, thus, do not impede on the essentially equivalent level of data protection that should be guaranteed.

    It is required that:

    (i)   Parties warrant that local laws do not prevent the data importer to fulfill the applicable requirements,based on an understanding of those laws and that those laws do not exceed what is necessary and proportionate in a democratic society. For this assessment, the following should be taken into account:
    a.     the specific circumstances of the transfer;
    b.     the laws and practices of the destination country; and
    c.   any relevant contractual, technical, or organizational safeguards should be put in place. If local laws may intervene with privacy rights of data subjects, parties must adopt appropriate supplementary contractual, technical or organizational measures. The newly introduced Annex II provides examples of supplementary safeguards, including encryption, certification, testing and logging:

    (ii)           the data exporter determines that the data importer is able to fulfill its requirements;

    (iii)    the data importer uses best efforts to provide the data exporter with relevant information and cooperation;

    (iv)    the local law assessment is documented and made available to the competent data protection authority upon request.

    These requirements show that the local law and supplementary measures assessments are still required and merely formalize the results of the Schrems II ruling. It is also good to note that the European Data Protection Board (EDPB) is expected to publish the final version of its guidance on the assessment of the possible supplementary measures end June 2021.

    Modular and multi-party/accession structure. Data exporting parties can now choose a module within the New SCCs that is applicable to the nature of their exports and only use the relevant clauses of this specific module.

    (i)            Module 1 deals with controller-to-controller transfers.

    (ii)           Module 2 deals with controller-to-processor transfers.

    (iii)          Module 3 is to be used for processor-to-processor transfers; and

    (iv)          Module 4 is to be used for processor-to-controller transfers.

    The prior SCCs did not provide the means for exporting processors to ensure legal compliance and often created challenges when trying to implement SCCs within large intra- or extra-group relations. The New SCCs with its modular design do take the complex data ecosystem of companies more into account.

    Additionally, the New SCCs allow for new parties to be added to the ontract over time (called the "docking clause") and explicitly allow for more than two parties to enter into the New SCCs, which is also useful in onwards transfers to other parties. 

    Geographic scope. The prior SCCs could only be used if the data exporter was established in the EEA. The New SCCs allow non-EEA data exporters to enter into SCCs, i.e., with another non-EEA data processor or non-EEA controller, which finally addresses the extraterritorial scope of application of the GDPR to non-EEA controllers.

    Very detailed specification required. Annex I of the New SCCs handles the specification of the parties, transfers, competent authority and, probably most importantly, the requirement for data importers that onward their transfers to sub-processors to specify the subject matter, nature and duration of these sub-processor transfers. This requires from companies processing and controlling data more extensive data mapping and more transparency. Based on Annex II, it will become required for the contracting parties to be very specific about the organizational and technical measures to be implemented to protect personal data. Lastly, Annex III sets out a list of sub-processors for which the data exporter must give specific authorization to the data importer. This list can be used instead of the general authorization to engage sub processors, yet not mandatory when implementing New SCCs.

    Data processing agreement not required. The prior SCCs could only be used for the international transfer of personal data to third countries. On top of the requirements for international data transfers to third countries, the relevant modules of the New SCCs also cover the requirements for data processing agreements when engaging a processor under article 28 GDPR. This means that it will not be required to also conclude a data processing agreement with non-EEA processors if parties conclude the New SCCs, but the New SCCs still allow parties to make additional arrangements that do not conflict with the New SCCs.

    More extensive data breach notification requirements. In the New SCCs additional personal data breach requirements have been added, especially to non-EEA controllers. In controller-to-controller situations, the data importer will be required to report personal data breaches to the data exporter as well as the competent supervisory authority, and also to the data subjects if it is likely to result in a high risk for the rights and freedoms of natural persons.

    What to do and when to do it?

    The Implementing Decision provides that the New SCCs will come into force on 27 June 2021. The Commission then provides an 18 month-transition period (thus until 27 December 2022) to replace current contracts that rule current data transfers. This seems generous, but given the significant changes compared to the prior SCCs, we advise organizations to start preparing the replacement of current contracts as soon as possible. Please also note that, if in the three months after 27 June 2021 your organization initiates new data transfers, these new data transfers may still rely on the prior SCCs. In practice this means that any organization that starts to transfer data outside the EEA after 27 September 2021, must rely on the New SCCs. In short:

    • Map all data transfers to third countries based on the old SCCs;
    • Asses the duration of the underlying service agreement(s) and accompanying continuation of data transfers;
    • Start using the New SCCs for relevant new agreements with data transfers to third countries;
    • In any case, do not use the old SCCs for new agreements with data transfers to third countries after 27 September 2021;
    • Transition any old SCCs in already existing agreements/data transfers to the New SCCs at least before 28 December 2022.

    Do you have any questions about the tNew SCCs? Please contact one of our Privacy Team members.

    More about

    Elisabeth Thole

    Partner, Lawyer

    Elisabeth leads the Van Doorne Privacy Team. She is also a member of the Van Doorne Cyber Security Team.

    Özer Zivali

    Counsel, Lawyer

    Özer is a member of the Privacy Team and is specialized in privacy, data protection, data technologies and (cyber) security. He has extensive experience in effectively assisting multinationals in complex, high risk, and cross-border data related matters. This includes high impact data breaches, the development and implementation of innovative data technologies, enforcement by authorities and complex data sharing structures, and strategic advice on translating the requirements of the General Data Protection Regulation (GDPR) to the business needs of clients. Özer has also extensive experience in advising companies on other data protection related matters, such as negotiating data processing or other data protection related agreements, loyalty programs, profiling, compliance projects for customer and employee data, apps, web shops, and international transfers of personal data, including Binding Corporate Rules. Özer also has experience in IT contracting and outsourcing.

    Fabienne Dohmen

    Lawyer

    Fabienne is a member of the Privacy Team. She advises Dutch and international clients on various aspects of privacy and data protection law.

    Ali Abdollahi Nejat

    Lawyer

    Ali is part of the Privacy & Data Team. He advises both Dutch and international clients on various aspects of privacy and data protection law, such as maintaining the data processing register, the international transfer of personal data to countries outside the European Economic Area (EEA), carrying out Data Protection Impact Assessments (DPIAs), data breaches, drafting and reviewing privacy policies and cookie statements, shaping the process of personal data exchange between organisations, the position and tasks of the Data Protection Officer (DPO) and the works council (WC), privacy aspects in the employer-employee relationship, the use of camera surveillance, screening and monitoring of data subjects.

    Babette Poley

    Lawyer

    Babette is part of the Van Doorne Privacy Team. She advises national and international organisations on a broad range of legal matters relating to privacy and data protection law, among which application of the General Data Protection Regulation (GDPR).

    Mitchel van Gool

    Lawyer

    Mitchel is part of the Litigation team and is involved in cases regarding contract and liability law. 

    Sophia Hanekamp

    Expert Privacy Law

    Sophia is part of the Privacy & Data Team. She focusses on various aspects of privacy and data protection law, such as developing templates, providing assistance on managing data processing registers, the international transfer of personal data to countries outside the European Economic Area (EEA), carrying out Data Protection Impact Assessments (DPIAs), data breaches, drafting and reviewing privacy policies and cookie statements, shaping the process of personal data exchange between organisations and the position and tasks of the Data Protection Officer (DPO).

    Related articles

    All articles
  • Article

    Steps organisations need to take for international data transfers following the Schrems II ruling

    10 August 2020
    The historic decision of the Court of Justice of the European Union (Court) in Schrems II of 16 July 2020 has profound consequences on international data transfers.
    Read more »
  • News

    Privacy in corona time

    25 March 2020
    Update 25 March This is an update of our article on the privacy aspects of the approach to the corona virus in connection with the publication of an update of the guidance issued by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), the European Data Protection Board (EDPB), and the more stringent measures in the fight against the corona virus announced by the Dutch government on 23 March 2020.
    Read more »
  • Article

    Privacy & Brexit: What privacy actions are needed?

    21 January 2020
    With its departure from the EU, the United Kingdom (England, Scotland, Wales and Northern Ireland) has become a 'third country' from a European privacy perspective. On 24 December 2020, the Brexit deal was concluded which has implications for the transfer and processing of personal data in the UK. Organisations that wish to (continue to) transfer or process personal data in the UK will need to conclude various privacy actions before 1 May 2021 (or 1 July 2021).
    Read more »
  • Blog

    Blockchain will change the IP landscape

    12 April 2018
    Several blockchain applications are being developed within the Intellectual Property (IP) field. These developments could entail significant changes in the protection and organisation of IP rights.
    Read more »
  • News

    National electronic health care infrastructure Privacy-Proof

    09 September 2014
    Last year the Vereniging van Praktijkhoudende Huisartsen (Association of Practising GP's or VPH) asked the Court to have the National Exchange Point (LSP) banned.
    Read more »