Data transfer tool – Adoption of new sets of Standard Contractual Clauses

In the absence of an adequacy decision or derogations, undertakings may only transfer personal data outside the European Economic Area (EEA) if the latter have provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

To do so, undertakings widely use Standard Contractual Clauses (SCCs) adopted by the European Commission as an appropriate safeguards mechanism. 

The SCCs contain contractual obligations aiming to ensure compliance with the GDPR’s requirements and extend the scope of these rules to territories that are not considered to offer an adequate level of protection for the rights and freedoms of data subjects.

As the current SCCs were adopted by the European Commission under Directive 95/46, the predecessor of the GDPR, their content (which still referred to Directive 95/46) needed a major update. 

In addition, the use of SCCs as an appropriate safeguards mechanism has been questioned by the Court of Justice of the EU (CJEU) in the Schrems II case (read our previous e-zine on the decision rendered on 16 July 2020, C-311/18). Although the CJEU confirmed that the SCCs may be an effective mechanism to protect EU citizens whose personal data are to be transferred outside the EEA and therefore acknowledged their validity in principle, it is of the opinion that a case-by-case analysis is necessary in order to evaluate whether the data importer in the third country will be able to comply with the SCCs in practice and whether the legal system of the third country does not prevent such compliance. Hence, while in the past it was assumed that the signing of the SCCs in and of itself rendered a transfer compliant, EU data exporters now have to carry out Transfer Impact Assessments (TIAs) prior to using the SCCs. 

In light of the above, on 12 November 2020, the European Commission published new draft SCCs for public consultation. Feedback from no less than 148 organisations, especially business associations, has been received. In general, the updated SCCs were welcomed, but subject to certain remarks, suggestions and requests for amendment. 

The final version of the set of SCCs has been adopted and published today (see link here).


There are now four (4) sets of SCCs: 

  • controller-to-controller transfers; 
  • controller-to-processor transfers; 
  • processor-to-processor transfers (new!); and 
  • processor-to-controller transfers. 

The new SCCs provide more legal and privacy safeguards. The European Commission has further inserted some elements of transparency and accountability. For example, sub-processors will now have accept audits from the EEA-based controller.

The new SCCs also take into account the findings of the CJEU in the Schrems II case. As a result, the need for data exporters to perform a TIA prior to implementing the SCCs has now become a formal requirement and no longer based on EDPB guidance only. It is up to the EU data exporters to decide whether they only use SCCs or, given the legislation of the concerned third country, put in place additional (technical and/or organisational) safeguards, such as encryption and pseudonymised personal data. 

Today’s decision of the European Commission on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 shall enter into force on the twentieth (20th) day following that of its publication in the Official Journal of the European Union. Undertakings will have eighteen months from the date of entry into force to replace any existing standard contractual clauses currently being relied upon to conduct international transfers of personal data with the new SCCs.  

Do not hesitate to contact us should you have any questions on how to implement the new SCCs or how to proceed with a TIA. 

Related : Lydian ( Ms. Olivia Santantonio ,  Mr. Bastiaan Bruyndonckx )


Ms. Olivia Santantonio Ms. Olivia Santantonio
[email protected]
Mr. Bastiaan Bruyndonckx Mr. Bastiaan Bruyndonckx
[email protected]

Click here to see the ad(s)

Lastest articles by Ms. Olivia Santantonio

CJEU clarifies competence of non-lead supervisory authorities in cross-border GDPR infringements ...

On 16 February 2018, the Brussels Court of First Instance condemned Facebook, including Facebook Ireland Limited and Faceb...

Read more

World Anti-Counterfeiting Day: Fighting fake goods remains a priority

Today is the World Anti-Counterfeiting Day. The day on which we recognize the hard work necessary to stop the manufacture,...

Read more

The E-Privacy Regulation: light at the end of the tunnel?

On 10 February 2021, after years of failed attempts, the Council of the European Union finally agreed on a negotiating&nbs...

Read more

Belgian DPA’s Litigation Chamber publishes procedural rules

As we found out last year, data protection remains on the rise. In the meantime, many data subjects found their way to the...

Read more

Lastest articles by Mr. Bastiaan Bruyndonckx

Court of Justice of the European Union allows Reverse Engineering to Correct Errors

Licensees are in certain cases permitted to decompile software code without infringing the Software Directive. In a judgem...

Read more

A clear position of the ECJ: zero support for zero tariff options

A zero tariff option is a commercial practice whereby an internet access provider applies a ‘zero tariff’ (or ...

Read more

CJEU clarifies competence of non-lead supervisory authorities in cross-border GDPR infringements ...

On 16 February 2018, the Brussels Court of First Instance condemned Facebook, including Facebook Ireland Limited and Faceb...

Read more

Checklist voorbereiding en implementatie procedure klokkenluiders

Werknemers spelen als klokkenluider een sleutelrol bij het onthullen en voorkomen van inbreuken op belangrijke wetgeving d...

Read more

LexGO Network