What you need to know
The European Commission has published new Standard Contractual Clauses (SCCs) for use when exporting personal data outside of the European Economic Area (EEA).
Under the General Data Protection Regulation (GDPR) organisations may only transfer personal data outside of the EEA if they use SCCs or another approved data transfer mechanism under the GDPR.
What are SCCs?
SCCs are template data transfer agreements that allow data exporters to transfer personal data to countries outside the EEA. The publication of the new SCCs follows a consultation process by the European Commission and will replace the existing SCCs.
Existing SCCs can still be used for new data transfers for three months, and existing data transfers may continue under the old SCCs during the 18 month transition period, until the end of 2022. After this transition period only the newly published SCCs will be valid for transfers to outside of the EEA.
What has changed?
The new SCCs make a number of changes, including:
- Using a modular approach – data exporters need use only the modules that are applicable to their needs.
- Requiring both the data exporter and importer to assess the local laws in the jurisdiction to which the data is being exported.
- Incorporating the provisions required to be put in place with data processors under Article 28 of the GDPR, removing the need for separate processing terms.
What about transfers from the UK?
Post-Brexit the UK is no longer an EEA country, and the use of personal data collected in the UK is subject to the UK GDPR.
The UK’s data supervisory body, the ICO, currently recognises the existing SCCs as an adequate transfer mechanism for the transfer of personal data to countries outside of the UK. However it is expected to publish a draft of its own SCCs later in 2021. The ICO is also considering whether to recognise the new SCCs as a valid transfer mechanism under the UK GDPR.
Until then, UK organisations may continue to use the existing EU form of SCCs for transfers of personal data out of the UK. However organisations which transfer personal data gathered within the EEA to a country outside of the EEA, should now start to plan the implementation of the new SCCs prior to the end of the transitional period. In particular, the EU’s final decision on the adequacy of the UK is still awaited, and if not forthcoming may require the SCCs to be put in place for transfers from the EEA to UK.
If you need some guidance on data compliance and avoiding costly mistakes, we’re here for you – get in touch.