Data transfer tool – Adoption of new sets of Standard Contractual Clauses
08/06/2021

In the absence of an adequacy decision or derogations, undertakings may only transfer personal data outside the European Economic Area (EEA) if the latter have provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

To do so, undertakings widely use Standard Contractual Clauses (SCCs) adopted by the European Commission as an appropriate safeguards mechanism. 

The SCCs contain contractual obligations aiming to ensure compliance with the GDPR’s requirements and extend the scope of these rules to territories that are not considered to offer an adequate level of protection for the rights and freedoms of data subjects.

As the current SCCs were adopted by the European Commission under Directive 95/46, the predecessor of the GDPR, their content (which still referred to Directive 95/46) needed a major update. 

In addition, the use of SCCs as an appropriate safeguards mechanism has been questioned by the Court of Justice of the EU (CJEU) in the Schrems II case (read our previous e-zine on the decision rendered on 16 July 2020, C-311/18). Although the CJEU confirmed that the SCCs may be an effective mechanism to protect EU citizens whose personal data are to be transferred outside the EEA and therefore acknowledged their validity in principle, it is of the opinion that a case-by-case analysis is necessary in order to evaluate whether the data importer in the third country will be able to comply with the SCCs in practice and whether the legal system of the third country does not prevent such compliance. Hence, while in the past it was assumed that the signing of the SCCs in and of itself rendered a transfer compliant, EU data exporters now have to carry out Transfer Impact Assessments (TIAs) prior to using the SCCs. 

In light of the above, on 12 November 2020, the European Commission published new draft SCCs for public consultation. Feedback from no less than 148 organisations, especially business associations, has been received. In general, the updated SCCs were welcomed, but subject to certain remarks, suggestions and requests for amendment. 

The final version of the set of SCCs has been adopted and published today (see link here).

WHAT’S NEW ?

There are now four (4) sets of SCCs: 

  • controller-to-controller transfers; 
  • controller-to-processor transfers; 
  • processor-to-processor transfers (new!); and 
  • processor-to-controller transfers. 

The new SCCs provide more legal and privacy safeguards. The European Commission has further inserted some elements of transparency and accountability. For example, sub-processors will now have accept audits from the EEA-based controller.

The new SCCs also take into account the findings of the CJEU in the Schrems II case. As a result, the need for data exporters to perform a TIA prior to implementing the SCCs has now become a formal requirement and no longer based on EDPB guidance only. It is up to the EU data exporters to decide whether they only use SCCs or, given the legislation of the concerned third country, put in place additional (technical and/or organisational) safeguards, such as encryption and pseudonymised personal data. 

Today’s decision of the European Commission on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 shall enter into force on the twentieth (20th) day following that of its publication in the Official Journal of the European Union. Undertakings will have eighteen months from the date of entry into force to replace any existing standard contractual clauses currently being relied upon to conduct international transfers of personal data with the new SCCs.  

Do not hesitate to contact us should you have any questions on how to implement the new SCCs or how to proceed with a TIA. 

Voir aussi : Lydian ( Ms. Olivia Santantonio ,  Mr. Bastiaan Bruyndonckx )

[+ http://www.lydian.be]

Ms. Olivia Santantonio Ms. Olivia Santantonio
Counsel
[email protected]
Mr. Bastiaan Bruyndonckx Mr. Bastiaan Bruyndonckx
Partner
[email protected]

Click here to see the ad(s)

Derniers articles de Ms. Olivia Santantonio

CJEU clarifies competence of non-lead supervisory authorities in cross-border GDPR infringements ...
21/06/2021

On 16 February 2018, the Brussels Court of First Instance condemned Facebook, including Facebook Ireland Limited and Faceb...

Read more

World Anti-Counterfeiting Day: Fighting fake goods remains a priority
08/06/2021

Today is the World Anti-Counterfeiting Day. The day on which we recognize the hard work necessary to stop the manufacture,...

Read more

The E-Privacy Regulation: light at the end of the tunnel?
18/02/2021

On 10 February 2021, after years of failed attempts, the Council of the European Union finally agreed on a negotiating&nbs...

Read more

Belgian DPA’s Litigation Chamber publishes procedural rules
30/01/2021

As we found out last year, data protection remains on the rise. In the meantime, many data subjects found their way to the...

Read more

Derniers articles de Mr. Bastiaan Bruyndonckx

CJEU clarifies competence of non-lead supervisory authorities in cross-border GDPR infringements ...
21/06/2021

On 16 February 2018, the Brussels Court of First Instance condemned Facebook, including Facebook Ireland Limited and Faceb...

Read more

Checklist pour la préparation et l’implémentation d’une procédure de lanceurs d’alerte
14/06/2021

Les travailleurs jouent un rôle clé en tant que lanceurs d’alerte en divulguant et prévenant les...

Read more

The Belgian DPA approved the EU Cloud Code of Conduct for cloud service providers acting as a pro...
03/06/2021

On 20 May 2021, the Belgian Data Protection Authority (hereinafter DPA) has approved the first transnational code of ...

Read more

European Commission publishes proposal for AI regulation
26/04/2021

In recent years, artificial intelligence (AI) has been a popular buzzword and a hot topic that has caught the attention of...

Read more

LexGO Network