On June 7th, new Standard Contractual Clauses (SCCs), for the transfer of personal data to third countries, were published in the Official Journal of the European Union. My team and I are constantly monitoring the evolution of the Regulation EU 2016/679 (General Data Protection Regulation “GDPR”), and here’s what we’ve learned so far about the latest changes.
As it is emphasized by the European Commission, the new SCCs are intended to align with the requirements under the GDPR and the judgement by the Court of Justice of the European Union on the Schrems II case.
- Effective Date and Transition Period
The new SCCs come into force on 27 June, 2021, and companies shall adopt the new SCCs until 27 September, 2021. All existing contracts for third-country transfers must be converted to the new SCCs by 27 December,2022.
- Inclusion of Article 28 GDPR Requirements
The new SCCs cover all requirements stated in Art.28 of the GDPR. Therefore, once parties have the new SCCs in place, there will be no need for signing a separate Data Processing Agreement.
- Schrems II Implementation
Prior to signing the new SCCs, parties will be required to assess and document the level of data protection in the third country. In case of a risk, parties must ensure supplementary measures are in place to mitigate such risk, and that personal data is protected in accordance with the standards laid out in the GDPR.
- Additionally, the new SCCs require data importers to notify data exporters promptly if they receive a public authority's request for the disclosure of personal data or become aware of a public authority's direct access to personal data. If the public authority prohibits the data importers from fulfilling their obligations, the data importers must use their best effort to obtain a waiver.
- Data importers must challenge the access request of public authorities if the request could be considered unlawful under "the laws of the country of destination, applicable obligations under international law and principles of international comity."
As the team and I continue monitoring data protection laws and regulations, we'll also continue implementing real-time changes and updates to our software, services, processes, and procedures. Doing this enables us to uphold the highest level of compliance for ourselves and, for our customers. We look forward to a timely replacement of our own existing SCCs — with providers like Microsoft, Google, Atlassian, and ClickDimensions — with the new SCCs.
Contact Lisa Waldherr to learn more about regulatory watch, an add-on compliance service for cleversoft customers.
Legal & Compliance Manager