MyData-TRUST White Paper on the New Standard Contractual Clauses for International Transfers under the GDPR
September 28, 2021
As you will recall, the European Commission published a new set of Standard Contractual Clauses (SCCs) for international transfers of personal data, which have entered into effect on 27th June 2021. They have been a long time coming, especially following the coming into force of the GDPR. SCCs are generally the most commonly used mechanism for such transfers between two entities.
New Standard Contractual Clauses
On June 4, 2021, the European Commission issued a new set of Standard Contractual Clauses (“SCCs”) for the processing of personal information between data controllers and data processors who are subject to the General Data Protection Regulation (“GDPR”).
In contrast to the old clauses, the new SCCs adopt a modular approach based on four scenarios:
- Module 1: From a controller to another controller (C2C);
- Module 2: From a controller to a processor (C2P);
- Module 3: From a processor to a processor (P2P);
- Module 4: From a processor to its appointing controller (P2C).
All four sets of modules are effectively consolidated into one document, allowing controllers and processors to select the relevant module which is applicable to their particular transfer scenario.
The new SCCs take into account the Court of Justice of the European Union’s decision in Schrems II issued last summer. The New SCCs require only the processing of personal data by the data exporter (the entity exporting data outside of the EEA) subject to the GDPR, even if the data exporter is not established in the EEA. This tool can only be used to legitimize transfers of personal data where the data importer is not subject to the GDPR. This provision has raised questions about the Commission’s intentions, with much buzz about the possibility that a transfer to a data importer already required to comply with the GDPR is not a “restricted transfer”.
What remains unclear, however, is the impact of text in the Implementing Decision indicating that the new SCCs are applicable only when the processing by the data importer is not subject to the GDPR. If you want to learn more about the next step and discover the key differences between the old SCCs and the New SCCs (Transfer Impact Assessment, Public Authorities Requests for Data, Onwards Transfers, Use of Sub-Processors and the specificity of Annexes), please read our White Paper.
To read the full White Paper of MyData-TRUST, click on the button:
If you are an organisation operating in the Health sector looking for advice or additional information on this subject, contact MyData-TRUST. We will be pleased to assist you.