On 4 June 2021, the European Commission finally adopted a new and modernised set of standard provisions. The kit contains a standard data processor agreement (DPA) and standard contractual provisions for the transfer of personal data (SCCs).
The new SCCs incorporate a number of different new provisions reflecting current rules and practices, with the aim of strengthening the protection of personal data transferred to unsafe third countries.
This comes in the light of the now very well-known Schrems-II case, in which the European Court of Justice incapacitated the previously applicable system for the transfer of personal data between the EU and the US, Privacy-Shield. The CJEU also stressed that transfers to third countries based on SCCs require adequate protection of personal data, which will often require the implementation of additional security measures.
The judgment has formed the basis for a great many issues with companies and authorities, especially in relation to the use of suppliers involving transfers of personal data to the United States or similar third countries. These issues are addressed to some extent in the new SCCs.
The new SCCs include the following essential measures:
Companies and authorities are given 18 months from the adoption date to phase out the previous SCCs and replace with new SCCs or some other transfer reason in the relevant circumstances. In addition, it is important to note that the data exporter still has to make an individual assessment of whether and what additional measures are necessary in the specific transfer situation.
Niels Dahl-Nielsen
Mobile: +45 4030 9749
Email: ndn@coplay.law
Line Forsberg Andersen
Mobile: +45 2619 4966
Email: lfp@coplay.law