EU: Commission adopts new SCCs for exchanges of personal data
The European Commission announced, on 4 June 2021, that it had adopted two sets of Standard Contractual Clauses ('SCCs'), one for use between controllers and processors ('Controller-Processor SCCs') and one for the transfer of personal data to third countries ('Third Country Transfer SCCs'). In particular, the Commission highlighted that the SCCs reflect the requirements under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and take into account the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'), with a view to ensuring a high level of data protection for citizens. Furthermore, the Commission noted that the new SCCs also take into consideration the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, feedback from stakeholders, and the opinion of Member States' representatives.
OneTrust DataGuidance, Sidley, and an expert panel will provide analysis on the new SCCs and the key questions for organizations in understanding the future of international data flows. In this webinar, we will be joined by a cross-industry panel including William Long, Partner at Sidley, Caroline Louveaux, CPO - MasterCard, Tina Maisonneuve, CPO - Nokia, Chris Foreman, CPO - Merck, Monika Tomczak-Gorlikowska, CPO - Prosus, and Lara Liss, CPO - Walgreens.
Key takeaways will include:
- In-depth reaction and analysis of the new SCCs
- What are key changes with the new SCCs and the initial draft
- When do companies need to implement them
- How to plan for international data transfers over the next few months
Join OneTrust DataGuidance and a cross-industry panel for this webinar here.
The Controller-Processors SCCs aim to ensure compliance with Article 28(7) of the GDPR and Article 29(7) of the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies. Furthermore, the Controller-Processors SCCs address the obligations of the parties in relation to, among other things, the security of processing, the use of sub-processors, international data transfers, and data breach notification, as well as non-compliance with the clauses.
Third Country Transfer SCCs
The Commission outlined that the Third Country Transfer SCCs:
- include one single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- offer more flexibility for complex processing chains, through a 'modular approach' and by offering the possibility for more than two parties to join and use the clauses; and
- offer a practical toolbox for compliance with the Schrems II judgment.
Notably, the Commission stated that there will be a transition period of 18 months for data controllers and data processors currently using the previous sets of SCCs.
UPDATE (7 June 2021)
Commission publishes official documents
The Commission published, on 7 June 2021, the Controller-Processor SCCs and Third Country Transfer SCCs in the Official Journal of the European Union.