SCCs are for use between controllers and processors and for the transfer of personal data to third countries.
The European Commission has adopted two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries. The Commission says that they reflect new requirements under the GDPR and take into account the Court of Justice’s decision in Case 311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II). The aim is to ensure a high level of data protection. The Commission says that the new clauses will offer more legal predictability to European businesses. They also aim to help organisations, especially SMEs, to comply with requirements for safe data transfers, while allowing data to move freely across borders without legal barriers.
The new standard contractual clauses take into account the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, the views of member states and feedback from a consultation.
They also reflect requirements under the GDPR and aim to address the realities faced by modern business. Because they are standardised and pre-approved, they provide an easy-to-implement template for companies to use to meet data protection requirements.
The key points in the new standard contractual clauses are:
The European Commission has adopted the new standard contractual clauses at a time where a number of regional organisations and third countries are developing or have issued their own standard contractual clauses. The Commission says that it will step up its cooperation with these international partners to further facilitate data transfers between different regions of the world.