Global menu

Our global pages

Close

New standard contractual clauses for data transfers outside EU/EEA shall be used as of 27 September

  • Finland
  • Other

07-10-2021

Commission issued new Standard Contractual Clauses (SCC) for transfer of personal data outside EU/EEA:
The new Standard Contractual Clauses are modular and can be used for practically all kinds of contracts including those at subcontractor level and group companies which use the same service provider for transfers of personal data outside EU/EEA.

The SCC are divided into 4 modules covering different data transfer scenarios:
•    controller to controller
•    controller to processor
•    processor to processor
•    processor to controller

Third parties can also join as parties to the SCC also at a later stage, throughout the lifecycle of the contract.

Since 27 September 2021 the companies entering into SCC’s shall use the new SCCs. Also, the contracts concluded before 27 September 2021 that incorporated the old SCCs to safeguard transfers out of the EU will need to be replaced before 27 December 2022.

Supplementary Measures
In addition to SCC’s the companies transferring data outside EU/EEA shall implement appropriate supplementary measures (SMs) to rase protection of personal data to essentially equivalent level afforded by the GDPR. SMs are necessary in those cases where the exporter of personal data determines that law or practice of the receiving third country does not on its own afford the required level of protection (e.g. US).
The EDPB has recommended businesses to carry out the following six-step practical approach to establish whether the transfer complies with Schrems II:
1. Create a map of data transfers to third countries, including also onward transfers and sub-processors.
2. Make sure that the instrument the data transfer relies on for compliance is still valid.
3. Make a case by case assessment on whether any laws, conditions or practices in the receiving third country can in practice impact the compliance with the GDPR safeguard levels that the SCC aims to achieve.
4. Identify and adopt the necessary SMs to make the level of protection afforded to the data transfer equivalent to EU standard.  
5. Put SMs into practice by taking practical measures.
6. Regularly review the extent of protection afforded to the data transferred and any changes that might affect this.

Does your company transfer data outside EU/EEA based on the old SCCs? Contact our Data Privacy team for further assistance.