'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on June 29, 2021 AUTHOR - PRIVACY RESEARCH TEAM
In June 2021, the European Commission adopted revamped Standard Contractual Clauses (SCC) to enable European companies to transfer data securely around the world. These revamped SCCs provide added protections to cross border data transfers to non-adequate countries outside of the EU.
As per the GDPR, personal data transfers to another country outside the European Union can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. The safeguards include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), and ad-hoc contractual clauses.
On 16 July 2020, in what became known as the Schrems II case, the Court of Justice of the European Union (ECJ) invalidated the European Commission’s EU-US Privacy Shield arrangement but upheld the use of SCCs to transfer data securely outside the EU. For SCCs to be valid however, data exporters were required to review the legal regime of the country data was transferred to and assess if the SCCs would be an effective protection for the transferred data. If the SCCs were not adequate protection, data exporters had to assess the risks to the transferred data and undertake supplementary measures to protect it further.
Heavily influenced by and as a response to the comments of the ECJ in Schrems II, the European Commission adopted two new sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors to replace the ones adopted in 2004 and then in 2010.
Let’s look into some of the key points of these new SCCs:
The new SCCs retain the same modular approach used in the previous draft, comprising four distinct modules, to enable businesses to identify the correct module in light of their circumstances:
Some of the key takeaways of the revamped SCCs are as follows:
Overall, the new SCCs align with the requirements of the GDPR and Schrems-II. Businesses must now implement revamped SCCs as well as conduct transfer impact assessments to fully comply with Schrems-II requirements and ensure secure transatlantic data transfers. Read Post Schrems-II: 5 Essentials To Dos for Transatlantic Data Flows to learn what compliance actions you’re required to take immediately if you are still using the old SCCs.
Securiti offers an all-encompassing and comprehensive Schrems-II solution to enable companies to conduct effective cross-border data transfer risk assessments, identify and review data transfers from the European Union and remediate discovered vendor risks as per the applicable legal requirements. Securiti also offers automated data mapping, DSR rights fulfillment, data breach management and security controls to help you comply with the obligations imposed by the revamped SCCs.
Click here to find out obligations of parties for each data transfer module.