What you need to know.

On June 7, 2021, the long-awaited new standard contractual clauses for the transfer of personal data outside the European Economic Area ("EEA") were published in the Official Journal of the European Union.

As a refresher, companies may only transfer personal data outside the EEA if the personal data enjoy protection there that is equivalent to the protection within the EEA. ‘Transfers’ include storage of personal data outside the EEA, and (mere) access from outside the EEA. Equivalent protection can be ensured in several ways. The European Commission's standard contractual clauses are one such way: one or more 'sending' companies conclude an agreement with one or more 'receiving' companies in accordance with the standard contractual clauses.

The 'old' standard contractual clauses, adopted before the entry into force of the GDPR, provided for two sets of clauses: one for transfers between an EEA controller and a non-EEA controller and one for transfers between an EEA controller and a non-EEA processor. The new standard contractual clauses add two (welcome) sets: one for transfers between an EEA processor and a non-EEA processor and one between an EEA processor and a non-EEA controller.

The standard contractual clauses now provide for (1) general provisions applicable to all (four) aforementioned types of transfers, (2) modular provisions to be selected according to the type of transfer and (3) three annexes to be completed by the parties. Some highlights:

• The European Commission has aligned the standard contractual clauses with the GDPR and the Schrems II case-law of the Court of Justice. For example, the standard contractual clauses contain the necessary language in accordance with Articles 28.3 and 28.4 GDPR. Thus, where relevant, a separate processing agreement is no longer necessary. At the same time, this also seems to remove the possibility for parties to negotiate such an agreement themselves. In line with the Schrems II case-law, the standard contractual clauses further include a statement that supplementary safeguards may be necessary in addition to the standard contractual clauses to ensure an equivalent level of protection (see this Privacy Talk).
• More than two parties can accede to the new standard contractual clauses. A docking clause is also provided. This is good news for (complex) processing operations involving multiple parties and intra-group transfers of personal data. The parties involved should be listed in Annex I to the standard contractual clauses.
• The parties must include in Annex II an overview of the technical and organisational measures of one or more of the parties. The standard contractual clauses contain a list of examples of such measures. Unfortunately, the European Commission does not offer advice on when it is appropriate to use which measures.

The new standard contractual clauses go into effect on June 27, 2021. Nevertheless, for new transfers, the old standard contractual clauses can still be used until September 27, 2021 (although there seems little point in doing so). For existing transfers, the old standard contractual clauses can still be used until December 27, 2022.

Finally, it is important to reiterate that, as a result of the Schrems II case-law, companies relying on the standard contractual clauses (old or new) must conduct a data transfer impact assessment (see this Privacy Talk).

What you need to do.

With the publication of the new standard contractual clauses, and the requirement for a data transfer impact assessment as a result of the Schrems II case-law, there is no longer any reason to take a wait-and-see approach. Action is required!

We've recommended it before in our Privacy Talk:

• Identify ('map') the international transfers of personal data by your company. In doing so, do not forget the broad scope of the concept of 'transfer'. Identify both transfers to third parties and intra-group transfers. Any onward transfers should also be mapped (e.g. when a supplier outside the EEA in turn transfers the personal data to a subcontractor in a country outside the EEA).
• Check whether those international transfers are absolutely necessary and, if so, what transfer mechanism can be used for them: if an adequacy decision or one of the exceptions in Article 49 GDPR applies, your company does not need to do anything else. It is interesting to note that earlier this year, the Judge-Rapporteur in the Schrems cases (Von Danwitz) stated (in his own name) at a seminar held at the German Ministry of the Interior that the exceptions in Article 49 GDPR are particularly interesting for international transfers within an intra-group context. The Judge-Rapporteur suggests that the possibilities of Article 49 GDPR have not yet been fully explored and that they should not be interpreted too narrowly.
• If your company uses the standard contractual clauses, a data transfer impact assessment and possibly additional safeguards will be necessary (see this Privacy Talk). It is recommended that you seek expert assistance in this step.
• Effective June 27, 2021, implement the new standard contractual clauses for all new transfers and replace the old standard contractual clauses by December 27, 2022.