The European Commission has adopted two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries. The Commission says that they reflect new requirements under the GDPR and take into account the Court of Justice’s decision in Case 311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II). The aim is to ensure a high level of data protection. The Commission says that the new clauses will offer more legal predictability to European businesses. They also aim to help organisations, especially SMEs, to comply with requirements for safe data transfers, while allowing data to move freely across borders without legal barriers.
The new standard contractual clauses take into account the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, the views of member states and feedback from a consultation.
They also reflect requirements under the GDPR and aim to address the realities faced by modern business. Because they are standardised and pre-approved, they provide an easy-to-implement template for companies to use to meet data protection requirements.
The key points in the new standard contractual clauses are:
- Up-to-date in line with the GDPR;
- One single entry point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- More flexibility for complex processing chains, through a “modular approach” and by offering the opportunity for more than two parties to join and use the clauses;
- Practical toolbox to comply with the Schrems II judgment; that is, an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible “supplementary measures”, such as encryption, that organisations may take if necessary; and
- For controllers and processors currently using previous sets of standard contractual clauses, a transition period of 18 months is provided.
The European Commission has adopted the new standard contractual clauses at a time where a number of regional organisations and third countries are developing or have issued their own standard contractual clauses. The Commission says that it will step up its cooperation with these international partners to further facilitate data transfers between different regions of the world.
