Today, the European Commission approved two new standard contractual clauses (“SCC’s”). The new versions are in line with the requirements laid down in the General Data Protection Regulation (GDPR). The new model contracts also take into account the so-called Schrems II ruling of 16 July 2020, which declared the EU-US Privacy Shield invalid.
The new SCC’s replace the three current SCC’s, which were still drafted at the time of the Data Protection Directive (Directive 95/46/EC). One of the standard contractual clauses is intended for use between data controllers and processors, and the other for the transfer of personal data to third countries.
According to the European Commission, one important adjustment compared to the SCC’s is the ‘modular’ design. This offers more flexibility and allows more than two parties to be party to the SCC’s. The new versions also take into account the consequences of Schrems II. The SCC’s contain a roadmap for companies to comply with the requirements for the transfer of personal data after Schrems II. They also give examples of ‘additional measures’ that parties can take if the level of protection in the other country is not up to standard.
Parties currently using the old SCC’s have 18 months to switch to the new versions. However, they will have to critically examine whether the old SCC’s are still adequate in light of the Schrems II ruling.