Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

EU’s Revamped SCCs

Published June 29, 2021
Author

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

In June 2021, the European Commission adopted revamped Standard Contractual Clauses (SCC) to enable European companies to transfer data securely around the world. These revamped SCCs provide added protections to cross border data transfers to non-adequate countries outside of the EU.

Background:

As per the GDPR, personal data transfers to another country outside the European Union can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. The safeguards include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), and ad-hoc contractual clauses.

On 16 July 2020, in what became known as the Schrems II case, the Court of Justice of the European Union (ECJ) invalidated the European Commission’s EU-US Privacy Shield arrangement but upheld the use of SCCs to transfer data securely outside the EU. For SCCs to be valid however, data exporters were required to review the legal regime of the country data was transferred to and assess if the SCCs would be an effective protection for the transferred data. If the SCCs were not adequate protection, data exporters had to assess the risks to the transferred data and undertake supplementary measures to protect it further.

Heavily influenced by and as a response to the comments of the ECJ in Schrems II, the European Commission adopted two new sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors to replace the ones adopted in 2004 and then in 2010.

Let’s look into some of the key points of these new SCCs:

SCCs for transfer of personal data to third countries:

The new SCCs retain the same modular approach used in the previous draft, comprising four distinct modules, to enable businesses to identify the correct module in light of their circumstances:

  1. Transfer controller to controller (referred to as C2C hereon)
  2. Transfer controller to processor (referred to as C2P hereon)
  3. Transfer processor to processor (referred to as P2P hereon)
  4. Transfer processor to controller (referred to as P2C hereon)

Applicability:

  • The revamped SCCs are applicable starting June 27th, 2021.
  • Both the old and revamped SCC can be signed up to September 27th, 2021 (3 months after the start date). After this date, only the revamped SCC can be signed.
  • Current SCCs must be replaced with the revamped SCC by December 27th, 2022.

Key Takeaways:

Some of the key takeaways of the revamped SCCs are as follows:

  • There is a lot of focus on accountability, compliance, and audit obligations. They especially require processors who process transferred data in a non-adequate country to provide documentation to show that they have processed data for the designated purpose in compliance with the SCCs. Updated Records of Processing Activities (RoPA) reports will help organizations fulfill these obligations and demonstrate compliance.
  • Data minimization, accuracy, purpose limitation, and storage limitation obligations apply to all parties in all transfers. A comprehensive data mapping exercise will help organizations in the fulfillment of these principles.
  • Parties are required to undertake appropriate security measures with a special focus on encryption and pseudonymization for the protection of the processing of personal data.
  • Importer data controllers are required to respond to even more varieties of data subjects’ requests.
  • Transfer impact assessments have been made mandatory. All parties in all transfers are required to consider the laws and practices of the third country of destination, including any requirements to disclose the personal data or measures authorizing access by public authorities, to determine if they can fulfill the requirements of the SCCs.
  • Breach notification obligations vary depending on whether the data transfer agreement is C2C, C2P or P2P. For importer data controllers, they may be required to notify data breaches to the data exporter, the competent supervisory authority, along with the affected data subjects. For importer processors, they may only need to notify the exporter.
  • The new SCCs are on-par with the GDPR in terms of data protection requirements.
  • With the docking clause, the SCCs allow multiple data exporting parties to contract and the addition of new parties over time.

Overall, the new SCCs align with the requirements of the GDPR and Schrems-II. Businesses must now implement revamped SCCs as well as conduct transfer impact assessments to fully comply with Schrems-II requirements and ensure secure transatlantic data transfers. Read Post Schrems-II: 5 Essentials To Dos for Transatlantic Data Flows to learn what compliance actions you’re required to take immediately if you are still using the old SCCs.

Securiti offers an all-encompassing and comprehensive Schrems-II solution to enable companies to conduct effective cross-border data transfer risk assessments, identify and review data transfers from the European Union and remediate discovered vendor risks as per the applicable legal requirements. Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations imposed by the revamped SCCs.

Click here to find out the obligations of parties for each data transfer module.

Your Data+AI Command Center

Enable Safe Use of Data and AI

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
DSPM vs. CSPM – What’s the Difference?
While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is SSPM? (SaaS Security Posture Management) View More
What is SSPM? (SaaS Security Posture Management)
This blog covers all the important details related to SSPM, including why it matters, how it works, and how organizations can choose the best...
View More
“Scraping Almost Always Illegal”, Netherlands DPA Declares
Explore the Dutch Data Protection Authority's guidelines on web scraping, its legal complexities, privacy risks, and other relevant details important to your organization.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New