The European Commission adopted on Friday, June 4th, 2021, the new GDPR Standard Contractual Clauses (SCCs).
The SCCs are a key component of the modernized system for ensuring data protection under the GDPR (The General Data Protection Regulation). They ensure the protection of all personal information, including sensitive data, when it leaves Europe and enters other countries.
What are the changes brought by the updated GDPR Standard Contractual Clauses?
The SCCs meet the new requirements of the GDPR and address the realities that companies are facing when transferring outside the EU. They provide companies with an easy-to-implement template. Thus, controllers and processors know that when using this template, they will not violate the data protection requirements.
Companies must go through the new requirements and review their contracts and agreements before September 27th. The European Commission provides a transition period of 18 months for controllers and processors currently using the 'old SCCs.' However, if not started on time, this process can become a very challenging and difficult one.
The modernized SCCs are more flexible, and they provide the opportunity for more than two parties to sign a single agreement without additional paperwork. Also, there is no ''additional agreement under Article 28 (3) of GDPR for Controller-to-Processor or Processor-to-Processor (except some processing in the EEA).''
Furthermore, the new SCCs' upgrades provide a set of practical tools with regard to the Schrems II decision. The controller and processor transferring the data to a third party are free to include "additional measures" or safeguards. However, these must not contradict directly or indirectly the standard contractual clauses nor affect the freedom of individuals.
The controllers can put certain security mechanisms like encryption to ensure that no one will see your information. On the other hand, processors must provide secure connections between users' devices as well as protecting against online malware infections.
The new SCCs are not valid under UK or Swiss law. It is likely that the UK will issue its own set of SCCs, but when and how similar to current EU laws, remains unclear at this time.
Conclusions
The EU adopted the clauses at a time when several organizations and third countries were issuing their own SCCs. The EU has committed to step up its cooperation with third countries to facilitate a smooth transfer of data.
This is an important point for all businesses to take time and review their contracts before September 27th. If you have not yet begun, now would be a good time to start! The EU's newly updated SCCs will provide protection for all personal information that are entering into other countries. These clauses ensure a high level of privacy and security for any sensitive data. Data like: social security numbers, health records, financial accounts, credit card information sent abroad from EU borders.
At Sovy, we are dedicated to simplifying business compliance for Micro and Small to Mid-Sized Enterprises (MSMEs) globally. If you need any help with your company's compliance efforts or want some tips about how to go forward, please don't hesitate to reach out!
Source: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj#ntr11-L_2021199EN.01003101-E0011
Last updated: September 6, 2021