EU’s Revamped SCCs

Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Managment

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

CCPA

View

CPRA

View

GDPR

View

Brazil’s LGPD

View

Thailand’s PDPA

View

China PIPL

View

PIPEDA

View

PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

In June 2021, the European Commission adopted revamped Standard Contractual Clauses (SCC) to enable European companies to transfer data securely around the world. These revamped SCCs provide added protections to cross border data transfers to non-adequate countries outside of the EU.

Background:

As per the GDPR, personal data transfers to another country outside the European Union can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. The safeguards include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), and ad-hoc contractual clauses.

On 16 July 2020, in what became known as the Schrems II case, the Court of Justice of the European Union (ECJ) invalidated the European Commission’s EU-US Privacy Shield arrangement but upheld the use of SCCs to transfer data securely outside the EU. For SCCs to be valid however, data exporters were required to review the legal regime of the country data was transferred to and assess if the SCCs would be an effective protection for the transferred data. If the SCCs were not adequate protection, data exporters had to assess the risks to the transferred data and undertake supplementary measures to protect it further.

Heavily influenced by and as a response to the comments of the ECJ in Schrems II, the European Commission adopted two new sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors to replace the ones adopted in 2004 and then in 2010.

Let’s look into some of the key points of these new SCCs:

SCCs for transfer of personal data to third countries:

The new SCCs retain the same modular approach used in the previous draft, comprising four distinct modules, to enable businesses to identify the correct module in light of their circumstances:

Transfer controller to controller (referred to as C2C hereon)
Transfer controller to processor (referred to as C2P hereon)
Transfer processor to processor (referred to as P2P hereon)
Transfer processor to controller (referred to as P2C hereon)

Applicability:

The revamped SCCs are applicable starting June 27th, 2021.
Both the old and revamped SCC can be signed up to September 27th, 2021 (3 months after the start date). After this date, only the revamped SCC can be signed.
Current SCCs must be replaced with the revamped SCC by December 27th, 2022.

Key Takeaways:

Some of the key takeaways of the revamped SCCs are as follows:

There is a lot of focus on accountability, compliance and audit obligations. They especially require processors who process transferred data in a non-adequate country to provide documentation to show that they have processed data for the designated purpose in compliance with the SCCs. Updated Records of Processing Activities (RoPA) reports will help organizations fulfill these obligations and demonstrate compliance.
Data minimization, accuracy, purpose limitation and storage limitation obligations apply to all parties in all transfers. A comprehensive data mapping exercise will help organizations in fulfillment of these principles.
Parties are required to undertake appropriate security measures with a special focus on encryption and pseudonymization for the protection of processing of personal data.
Importer data controllers are required to respond to even more varieties of data subjects’ requests.
Transfer impact assessments have been made mandatory. All parties in all transfers are required to consider the laws and practices of the third country of destination, including any requirements to disclose the personal data or measures authorizing access by public authorities, to determine if they can fulfill the requirements of the SCCs.
Breach notification obligations vary depending on whether the data transfer agreement is C2C, C2P or P2P. For importer data controllers, they may be required to notify data breaches to the data exporter, the competent supervisory authority along with the affected data subjects. For importer processors, they may only need to notify the exporter.
The new SCCs are on-par with the GDPR in terms of data protection requirements.
With the docking clause, the SCCs allow multiple data exporting parties to contract and the addition of new parties over time.

Overall, the new SCCs align with the requirements of the GDPR and Schrems-II. Businesses must now implement revamped SCCs as well as conduct transfer impact assessments to fully comply with Schrems-II requirements and ensure secure transatlantic data transfers. Read Post Schrems-II: 5 Essentials To Dos for Transatlantic Data Flows to learn what compliance actions you’re required to take immediately if you are still using the old SCCs.

Securiti offers an all-encompassing and comprehensive Schrems-II solution to enable companies to conduct effective cross-border data transfer risk assessments, identify and review data transfers from the European Union and remediate discovered vendor risks as per the applicable legal requirements. Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations imposed by the revamped SCCs.

Click here to find out obligations of parties for each data transfer module.

EU’s Revamped SCCs

Table of contents

Background:

SCCs for transfer of personal data to third countries:

Applicability:

Key Takeaways:

Bedrock of your Privacy & Security

Related Content

Newsletter

Company

Resources

Terms

Get in touch

EU’s Revamped SCCs

Table of contents

Background:

SCCs for transfer of personal data to third countries:

Applicability:

Key Takeaways:

Bedrock of your Privacy & Security

Schedule a LIVE One-on-One Demo

Share this

Join Our Newsletter

Related Content

Cookie Consent Requirements in Slovakia

Consent Requirements Under Thailand’s Data Protection Framework

Privacy-by-Design and Privacy-by-Default

Newsletter

Company

Resources

Terms

Get in touch