The General Data Protection Regulation ("GDPR") restricts transfers of personal data outside the EEA unless:

• the third country has been recognised by the European Commission as providing an adequate level of data protection, such as in the case of Switzerland and Canada (all current adequacy decisions may be found here), or

• if certain safeguards, like the use of standard contractual clauses (SCCs), and on condition that enforceable rights and effective legal remedies for data subjects are available, or

• if certain derogations as listed in Article 49 of the GDPR apply, such as the data subject having explicitly consented to the proposed transfer of their personal data or the transfer is necessary for important reasons of public interest.

SCCs have been a popular mechanism to transfer personal data outside of the EEA, especially in recent months in the wake of the Schrems II decision, that invalidated another transfer mechanism, the EU-US Privacy Shield.

On 4 June 2021, the European Commission issued modernised and more onerous standard contractual clauses under the GDPR for data transfers from (i) controller to controller, (ii) controller to processor, (iii) processor to processor and (iv) processor to controller. These new SCCs will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46 and addressed only two transfer scenarios (i.e., controller to controller, and controller to processor).

The new SCCs (available here) need to be used for all international data transfers after the end of the next 3 months. Furthermore, existing SCCs will need to be switched to the new SCCs before the end of the 15 month transition period, which should come to an end in December 2022.

A notable addition to the SCCs is Clause 14, which has been created to reflect the Schrems II decision. Clause 14 requires that the parties warrant that at the time of signing the new SCCs, they have no reason to believe that the laws and practices applicable to the data importer, including any requirements around disclosure to, or access by, public authorities, prevent the data importer from complying with the new SCCs. In giving this warranty the parties must take account, in particular, of:

(i) the specific circumstances of the transfer (e.g., nature of data, purpose for processing);

(ii) the laws / practices in the recipient third country – including “reliable information” on the application of the law, the existence / absence of requests in the same sector, and “under strict conditions, the documented practical experience of the” parties; and

(iii) any supplementary measures implemented.

This assessment must be documented by the parties and provided to the competent supervisory authority on request. Moreover, the data importer should notify the data exporter if it believes it cannot comply with the new SCCs.

The SCCs also introduce an obligation on the data importer to notify the data exporter and the data subject if it receives a legally binding request from a public (including judicial) authority under the law of the country of destination for disclosure of personal data transferred pursuant to the standard contractual clauses. Similarly, it should notify them if it becomes aware of any direct access by public authorities to such personal data, in accordance with the law of the third country of destination.

Organisations transferring personal data to third countries not covered by an adequacy decision or not subject to a derogation under Article 49 of the GDPR should therefore start thinking about the steps needed to implement these new SCCs.

Please note that this article does not constitute legal advice. Specialist legal advice should be taken in relation to specific circumstances. The contents of this article are for general information purposes only. Whilst we endeavour to ensure that the information on this site is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.