Expertise and advice so you're always one step ahead - sign up to receive the latest legal updates, events & seminar news
HomeInsights & thinkingSCCs: New rules governing cross-border data transfers and data exchanges from the EU and EEA
SCCs: New rules governing cross-border data transfers and data exchanges from the EU and EEA
23 September 2021
This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA.
In June this year, the European Commission published two sets of new SCCs, governing cross-border data transfers and data exchanges. The requirements for the use of these are changing with effect from Monday 27 September 2021.
What are SCCs?
SCCs are standard terms and conditions which the sender and the receiver of personal data both sign up to. They set out the terms on which the parties will send data, the standard of safety required and any other obligations. Their aim is to protect personal data when it is being transferred from EU/EEA countries, where the relatively strict provisions of the General Data Protection Regulation (GDPR) apply, to other countries with different and often less stringent data privacy laws. They may need to be used as an ‘appropriate safeguard’ for the personal data being transferred, if the receiving country’s data protection regime has not been the subject of an ‘adequacy decision’ by the EU Commission.
The UK was the subject of an adequacy decision earlier this year, so SCCs do not need to be used for data transfers from the EU/EEA to the UK.
What are the changes?
The new SCCs have the following key features:
Increased obligations on data exporters
Data exporters (those who send personal data to a third country) must provide data subjects with information regarding their intent to transfer data, including categories of data, the subjects’ right to obtain a copy of the SCCs, and details of any onward transfer.
Rights of data subjects
Data subjects will be able to enforce the obligations of the SCCs as third-party beneficiaries.
Data importers (parties located in a third country receiving data) must inform data subjects of a contact point and deal promptly with any complaints or requests.
In the event of a dispute between a data importer and data subject who invokes their rights as a third-party beneficiary, the data subject can lodge a complaint with the supervisory authority in the relevant Member State, or refer the dispute to a competent court in the EU.
Increased flexibility
The new SCCs are structured as one modular document that can be adapted to specific scenarios.
More than two parties can now adhere to contract terms with SCCs, meaning that if additional parties are involved they can accede to the SCCs for their part in a transaction.
Provisions are included for when sub-processors are involved, including a process for authorisation and the need for a written contract with the sub-processor ensuring the same level of protection.
Standard provisions are included for the appointment of data processors where needed, whereas before a separate Data Processing Agreement would have to be drafted.
Third country provisions
The new SCCs contain an obligation to assess the laws and practices of a third country regarding data protection.
They also address the potential inability of a data importer to comply with new SCCs due to adverse laws in their country, including how to handle government requests for access to personal information.
When do the new SCCs come into effect?
The new SCCs took effect on 27 June 2021, but until now there has been a transitional period during which the old form SCCs could still be used in all contracts. However that transitional period comes to an end on 27 September 2021. Any new data transfers agreed after that date will need to be governed by the new SCCs. All contracts (new and existing) should be utilising the new SCCs by 27 December 2022.
What should you do?
Ensure all contracts entered into from now onwards incorporate the new form of SCCs.
Identify existing contracts that will need to be updated over the next fifteen months.
Identify contracts reflecting the new scenarios accounted for by the SCCs to determine if they will need to be updated.
How can we help?
We can:
undertake a review of your existing contracts and identify which will need to incorporate the new SCCs
advise on the amendment of existing contracts to incorporate the new SCCs
advise on the implementation of the SCCs in future contract negotiations
act as UK or EU representative via our sister company Willans Data Protection Services. If you are processing data about people in the UK or EU (as the case may be) and don’t have an establishment in those territories, the EU and UK versions of GDPR require you to appoint a local representative.
Our specialist GDPR and data protection solicitors will make the effort to get to know your business, using this knowledge to create workable solutions to any kind of data protection compliance challenge you may face. Whether you’re looking for a comprehensive solution, training or help with certain aspects of data protection law, please contact us.
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
On 24 May, the ICO published its updated guidance for businesses and employers on responding to data subject access requests (commonly referred to as ‘SARs’ or ‘DSARs’). Based on the…
Less paperwork for organisations, fewer data collection pop-ups for the wider public, and more than £4 billion saved over next 10 years – these are just a few outcomes that…
On Christmas Eve, the nation was informed that the UK and EU had struck a Brexit deal. The transition period is now over, and a clearer picture of the future…
By clicking Accept you are agreeing to the use of all cookies which will allow us to provide you with the most relevant experience when visiting or re-visiting this website. This means that your personal preferences will be remembered when you use this website. You can change your consent or choose specific settings by clicking "Cookie Settings". By clicking "Reject All" we will not use any non-essential cookies. Essential cookies will still be used for the website to function properly. Please see our cookie policy and privacy notice for more information about how we process your personal data.
Our website uses cookies to improve your experience while you navigate through our website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use our website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies but it may affect your browsing experience on our website. You can find our cookie policy here.
Necessary cookies are absolutely essential for our website to function and enable core functionality such as security and accessibility. These cookies do not store any personal information. You can block these cookies by changing your browser settings, but this may affect how the website functions.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
mgref
1 year
This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
yt-player-headers-readable
never
The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-installed
session
The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period
session
The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app
session
The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name
session
The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY
never
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat
1 minute
This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_s
1 year
This cookie is associated with Shopify's analytics suite.
G
1 year
Cookie used to facilitate the translation into the preferred language of the visitor.
vuid
2 years
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
VISITOR_INFO1_LIVE
6 months
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA
6 months
YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.