New standard contractual clauses for data transfers

21st June 2021

What you need to know

The European Commission has published new Standard Contractual Clauses (SCCs) for use when exporting personal data outside of the European Economic Area (EEA).

Under the General Data Protection Regulation (GDPR) organisations may only transfer personal data outside of the EEA if they use SCCs or another approved data transfer mechanism under the GDPR.

What are SCCs?

SCCs are template data transfer agreements that allow data exporters to transfer personal data to countries outside the EEA. The publication of the new SCCs follows a consultation process by the European Commission and will replace the existing SCCs.

Existing SCCs can still be used for new data transfers for three months, and existing data transfers may continue under the old SCCs during the 18 month transition period, until the end of 2022. After this transition period only the newly published SCCs will be valid for transfers to outside of the EEA.

What has changed?

The new SCCs make a number of changes, including:

  • Using a modular approach – data exporters need use only the modules that are applicable to their needs.
  • Requiring both the data exporter and importer to assess the local laws in the jurisdiction to which the data is being exported.
  • Incorporating the provisions required to be put in place with data processors under Article 28 of the GDPR, removing the need for separate processing terms.

What about transfers from the UK?

Post-Brexit the UK is no longer an EEA country, and the use of personal data collected in the UK is subject to the UK GDPR.

The UK’s data supervisory body, the ICO, currently recognises the existing SCCs as an adequate transfer mechanism for the transfer of personal data to countries outside of the UK. However it is expected to publish a draft of its own SCCs later in 2021. The ICO is also considering whether to recognise the new SCCs as a valid transfer mechanism under the UK GDPR.

Until then, UK organisations may continue to use the existing EU form of SCCs for transfers of personal data out of the UK. However organisations which transfer personal data gathered within the EEA to a country outside of the EEA, should now start to plan the implementation of the new SCCs prior to the end of the transitional period. In particular, the EU’s final decision on the adequacy of the UK is still awaited, and if not forthcoming may require the SCCs to be put in place for transfers from the EEA to UK.

If you need some guidance on data compliance and avoiding costly mistakes, we’re here for you – get in touch.

We’re here for you – contact us today

0300 124 0406
enquiries@schofieldsweeney.co.uk

Contact Us

Bradford office

Church Bank House
Bradford
West Yorkshire
BD1 4DY

What3words - names.frosted.broke
Phone: 01274 350 800 Fax: 01274 306 111

Leeds office

Centura
76 Wellington Street
Leeds
West Yorkshire
LS1 2AY

What3words - crass.makes.store
Phone: 0113 849 4000 Fax: 0113 243 9326

Huddersfield office

30 Market Street
Huddersfield
West Yorkshire
HD1 2HG

What3words - eaten.salads.case
Phone: 01484 915 000 Fax: 0800 368 8449

London office

33 Bedford Row
London
WC1R 4JH
Phone: 020 8146 5119
Copyright © Schofield Sweeney Solicitors. All Rights Reserved.

Schofield Sweeney LLP is authorised and regulated by the Solicitors Regulation Authority.

Website by Tall
Conveyancing Quality