New Standard Contractual Clauses (SCC) and Data Transfers

The European Commission adopted the new standard contractual clauses (SCCs) regarding transfers of personal data on 4.6.2021, and according to the transition period, they must be fully implemented by 27.12.2022 at the latest.

The SCCs refer to standard agreements drawn up by the EU authorities, the aim of which is to provide different actors with an easy-to-use means of protecting personal data in international data transfers. In practice, SCCs are used in the same way as standard contracts in situations involving transfers of personal data from the EEA to third countries; the SCCs are therefore an agreement on the ways in which personal data must be protected in international data transfers.

Why are standard contractual clauses needed?

When personal data is transferred between different actors from the EEA to third countries, according to the EU’s General Data Protection Regulation (GDPR), the transfer of personal data must be adequately protected. According to the GDPR, SCCs can be used as one way to protect personal data in data transfers.

While SCCs are a means of protecting personal data offered and approved by the EU authorities, in practise, they are most commonly used as a means of protecting personal data in international data transfers. This manifests e.g. in that practically all internationally operating digital service providers utilize the SCCs as a part of their standard contracts.

The advantage of SCCs is their pre-approved standard form. This saves both time and money and is particularly advantageous for SMEs that do not have the resources to negotiate individual contracts with each contract partner.

Why have the standard contractual clauses been changed?

During the old Data Protection Directive, the Commission approved three sets of standard contractual clauses that remained in force after the GDPR entered into force on 25.5.2018. In addition, at that time the Privacy Shield arrangement between the EU and the United States was in force, which was intended to guarantee an adequate level of data protection when data was transferred from one region to another.

The reason for changing the standard clauses was the desire to update them to meet the requirements of the new legal framework, namely the GDPR. The goal was also to take into account the new case law, especially the so-called Schrems II judgement (C311/18), in which the European Court i.a. invalidated the Privacy Shield arrangement because the US legislation did not ensure a level of data protection that was equivalent to the EU level. Moreover, the case was simply that the old standard clauses could no longer keep in pace with the modern digital economy: as the number of parties to contracts increased and the need for complex chains of contracts arose, it was appropriate to update the structure of the standard clauses to be more approachable and flexible.

How have standard contractual clauses been changed?

The core content of the SCCs has remained the same. As before, the current SCCs include commitments to essential data protection principles, data security obligations, third party beneficiary rights and submission to the jurisdiction of EEA data protection authorities and courts.

In terms of changes, first of all, the structure of the SCCs has been changed to enable a wider range of data transfer scenarios. This has been done by creating a module structure from which users can choose the module corresponding to each transfer situation. With this, it has been possible to replace three SCCs with one module-structured SCC. In addition, the standard clauses now permit new parties to join the SCCs throughout the lifecycle of the contract and include a list of attachments for providing information about each data transfer.

Second, the update has also introduced substantive changes: now the SCCs meet GDPR requirements and include enhanced transparency obligations as well as more detailed clauses on data subject rights, data breach notification and rules for onward transfers. In addition, with the update, the Schrems II judgement has been implemented, so the parties to the contract must henceforth carry out a case-by-case assessment of whether a level of data protection corresponding to the EU requirements for the transfer of personal data is guaranteed and assess the need for the use of additional protective measures (so-called "transfer impact assessment"). Disclosure obligations and the obligation to resist unlawful requests have also been added to the SCCs.

When should you react to changes?

Data protection agreements concluded after 27.9.2021 must be based on the new SCCs. A transition period of 18 months has been granted for those entities that have entered into a data protection agreement using the old standard clauses. This transition period ends on 27.12.2022. At that time entities must replace the previous SCCs with the new SCCs, including the annexes. However, if the contracts are modified before the end of the transition period, the parties must switch to using the new standard clauses immediately.

Our Associate Trainee Savva Kuparinen took part in writing this article.