Are the new SCCs sufficient after Schrems II ?

Draft new SCCs

On 12 November 2020, the European Commission published long awaited draft new Standard Contractual Clauses (SCCs) for data transfers between EU and non-EU countries (i.e. outside the EEA). This document updates and restructures the previous SCCs published by the European Commission (2001/497/EC, 2004/915/EC and 2010/87/EU). The draft is open to public consultation until 10 December 2020. Adoption of the final version of SCCs is expected early 2021.

New structure

The new SCCs are presented as a modular approach covering four different data transfer scenarios:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

As expected, the SCCs now also cover the processor-to-processor and processor-to-controller transfers scenarios.

In addition, the SCCs are designed in a way allowing the parties to use them in a multi-party setting. Docking clause allows new parties to access the SCCs at any time by completing Annexes (i.e. list of Parties, description of the transfer(s) and technical and organisational measures).

The parties (i.e. the “data exporter” and the “data importer”) are also free to include those SCCs in a wider contract and to add other clauses or additional safeguards (not. via contractual commitments supplementing the SCCs) provided that they do not contradict, directly or indirectly, the SCCs.

… and new issues

Although their revision was already pending, the SCCs have been reviewed notably in the light of the Schrems II decision issued earlier this year by the CJEU.

International data transfer based on SCCs should only take place if the laws of the third country of destination do not prevent the data importer from complying with thoses clauses. Following the EDPB’s six steps roadmap, in performing this assessment, the Parties should take into account the specific circumstances of the transfer (e.g. the purpose of the transfer, the nature of the transfered data, the type of recipient, the duration of the contract, etc.), the laws of the third country of destination and the additional safeguards that could be taken (e.g. technical or organisational measures).

To ensure the effectiveness of SCCs, the importer shall, notably:

  • make its best efforts to provide the data exporter with all relevant information;
  • promptly notify the data exporter if it :
  • has reason to believe that it is or has become subject to laws not in line with the protection granted by GDPR,
  • receives a legally binding request by a public authority under the laws of the country of destination for disclosure of personal data. Such notification shall include, at least, information about the personal data requested, the requesting authority, the legal basis for the request and the response provided,
  • becomes aware of any direct access by public authorities to transferred personal data. Such notification shall include all information available to the importer,
  • review, under the laws of the country of destination, the legality of such request for disclosure and to exhaust all available remedies to challenge the request if possible under applicable laws.

Are the new SCCs sufficient after Schrems II ?

Unfortunately, the answer is NO.

As a reminder, the transfer of data to a third country must be based on an appropriate data transfer mechanism amongst those listed in Chapter V GDPR, such as SCCs.

But the exporter shall first, following the EDPB’s six steps roadmap, assess whether the third country’s laws and practices provide an essentially equivalent level of protection to the EU. Whether or not data exporter can transfer personal data on the basis of SCCs will depend on the result of such assessment, taking into account the circumstances of the transfers, and supplementary measures that could be implemented.

If this assessment concludes that the laws of the third country encroaches on the effectiveness of the transfer tool (e.g. if Section 702 of FISA and/ or E.O. 12333 applies, for E.U.-US transfers), supplementary measure should be considered to ensure the required level of protection.

First, the new SCC’s do not include all the contractual measures suggested by the EDPB.

Then, contractual requirements do not appear to be self sufficient to guarantee the transferred data a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. For instance, surveillance programmes based on Section 702 of the FISA are secret. The importers who are subject to it (e.g. cloud-based services providers) are subject to a secrecy obligation regarding the acquisition requested by the US government, which prohibits the sending of a notification to the customers (e.g. the exporters). In such cases, only the implementation of technical measures (such as strong encryption) therefore appears to be effective.

Nevertheless, it is sometimes necessary for the importer to access the data in the clear (e.g. to properly provide the services requested by the exporter). The direct consequence could therefore be that in some cases the transfer of data to a country that does not provide for an equivalent level of protection would be impossible.


The assessment of the effectiveness of SCCs (which involves analysing the laws applicable in the importer’s country) is a complex task.

Parties should document such assessment and make it available to the competent data protection supervisory authority.

A maximum obligation of cooperation should be required from the importer (e.g. by inserting additional contractual measures).

Related : Lexing ( Ms. Fanny Coton ,  Mr. Thomas Espeel )


Ms. Fanny Coton Ms. Fanny Coton
Mr. Thomas Espeel Mr. Thomas Espeel

Click here to see the ad(s)
All articles Commercial practices

Lastest articles Commercial practices

Champagne: in victory, one deserves it!

On 21 December 2020, the Opposition Division of the EUIPO rejected the registration application for the ‘CHAMPAWS&rs...

Read more

The pitfalls of the B2B law for service and distribution contracts

As the B2B law applies to all contracts between businesses, it will generally concern contracts for the provision of servi...

Read more

Overzicht van EU-BE juridische ontwikkelingen

U vindt hieronder een overzicht van recente juridische ontwikkeling op Europees en Belgisch niveau.

Read more

The effect of the B2B law on your general terms and conditions

The B2B law inevitably has an important effect on the general terms and conditions of your agreements. In this section of ...

Read more

Lastest articles by Ms. Fanny Coton

Exonération des autorités publiques des amendes prévues par le RGPD

La législation belge prévoit l’exonération des autorités publiques des amendes pré...

Read more

Employeurs : comment gérer les soupçons/cas avérés de contamination ?

La pandémie actuelle donne lieu à de nombreuses questions pour les employeurs, comme nous l’avons vu d...

Read more

Caméras et location de bureaux : quelles obligations ?

Nombreux sont les propriétaires d’immeubles qui gèrent un système unique de caméras de s...

Read more

Lanceurs d’alerte: Un mécanisme interne obligatoire dès décembre 2021

L’Union européenne a enfin adopté la directive « lanceurs d’alerte » (dire...

Read more

Lastest articles by Mr. Thomas Espeel

(Rainy) Sky v. SkyKick : the CJEU opened its umbrella

On 29 January 2020, the CJEU handed its much anticipated decision in the referral from the English High Court in the &lsqu...

Read more

InfoSoc Directive : no digital exhaustion according to the ECJ

For the ECJ, the sale of second-hand e-books through a website constitutes a communication to the public that requires the...

Read more

RGPD et finalité du traitement : l’APD serre la vis !

Consacré dès 1981 (Convention 108), le principe de finalité est un principe angulaire de la protectio...

Read more

NIS Law: the new incident notification procedure

The law of 7 April 2019 (the ‘NIS law’) states that the Operators of Essential Services (OES) and th...

Read more

LexGO Network