New standard contractual clauses (SCCs) adopted

Compliance
7.6.2021

On 4 June 2021, the European Commission finally adopted a new and modernised set of standard provisions. The kit contains a standard data processor agreement (DPA) and standard contractual provisions for the transfer of personal data (SCCs).

The new SCCs incorporate a number of different new provisions reflecting current rules and practices, with the aim of strengthening the protection of personal data transferred to unsafe third countries.  

This comes in the light of the now very well-known Schrems-II case, in which the European Court of Justice incapacitated the previously applicable system for the transfer of personal data between the EU and the US, Privacy-Shield. The CJEU also stressed that transfers to third countries based on SCCs require adequate protection of personal data, which will often require the implementation of additional security measures.  

The judgment has formed the basis for a great many issues with companies and authorities, especially in relation to the use of suppliers involving transfers of personal data to the United States or similar third countries. These issues are addressed to some extent in the new SCCs.  

The new SCCs include the following essential measures:

  1. The general provisions are supplemented by a number of separate provisions that make it possible to tailor SCCs to the specific current transfer situation. This makes it possible to use SCCs in four different situations (data controller to data controller, data controller for data processor, data processor for data processor, data processor for data controller).
  1. It is possible to add more data controllers and data processors to SCCs, both prior to and after the conclusion of SCCs. In this way, for example, several links in a supply chain can be covered by the same SCCs.  

  1. The new SCCs introduce a guarantee between the data exporter and the data importer that there is no reason to believe that the data importer in the third country concerned is prevented from fulfilling its obligations in SCCs.  

  1. A section on the influence of local legislation on compliance with SCCs and the obligations of the data importer is introduced in the event of public authorities' access to personal data.  

  1. The new SCCs contain an annex for the indication of technical and organisational security measures. This Annex provides a number of examples of the security measures that the parties can implement to ensure adequate protection of personal data.  

Companies and authorities are given 18 months from the adoption date to phase out the previous SCCs and replace with new SCCs or some other transfer reason in the relevant circumstances. In addition, it is important to note that the data exporter still has to make an individual assessment of whether and what additional measures are necessary in the specific transfer situation.

Contact Niels Dahl-Nielsen or Line Forsberg Andersen if you have any questions about the new provisions:

Niels Dahl-Nielsen
Mobile: +45 4030 9749
Email: ndn@coplay.law

Line Forsberg Andersen

Mobile: +45 2619 4966

Email: lfp@coplay.law