On 4 June 2021, the European Commission published modernized Standard Contractual Clauses (SCC) for data transfers under the General Data Protection Regulation (GDPR). The modernized SCCs were published as two sets: the first set regulates the cross-border transfers to third countries outside the EU and is a replacement to old SCCs, whereas the second set is for data transfers between data controllers and data processors.
Under the GDPR, cross-border data transfers outside of the EU must either rely on an adequacy decision or alternative mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules. To ensure full compliance with the GDPR and the legislative developments on data transfers (such as the Schrems decision on the invalidation of the EU-US Privacy Shield), the EU Commission published modernized SCCs, replacing the current SCCs.
The new SCCs took effect on 27 June 2021. The old SCCs may still be used for new data transfers during the transition period of three months, which ends on 27 September 2021. Existing data transfers based on old SCCs can be continued until 27 December 2022, after which all data transfers must comply with the new sets of SCCs.
What are the Key Changes?
Some of the key changes to the previous SCCs include the following:
- Stronger data subject protection
With the new SCCs, data subjects will be able to enforce the contractual rights under the SCCs as third-party beneficiaries against the parties of the SCC.
- Modular approach
The new SCCs feature a modular approach based on the data flow and legal status of the data exporter/data importer as follows:
Controller-to-controller transfers (Module 1)
Controller-to-processor transfers (Module 2)
Processor-to-processor transfers (Module 3)
Processor-to-controller transfers (Module 4)
The new SCCs include clauses with respect to transfers from processor-to-processor and processor-to-controller that were not covered by the old SCCs before.
- Warranty on destination country’s regime and obligations for government access requests
With the new SCCs, all parties must warrant that the legal regime in the third country does not prevent the data importer to fully comply with the terms and obligations of the SCC. Accordingly, the new SCCs require additional transparency and cooperation of the data importer with respect to the data transfer. The new SCCs further put forward obligations on data importers in case of any request from the destination country’s public authorities to access the transferred personal data. These obligations include notification to data exporter, raising challenges for disclosure and minimization of the disclosed data.
- Technical and organizational measures
In order to ensure the adequate level of protection in the destination country, the SCCs require specific information on technical and organizational measures in place. As part of the data security obligations, SCCs must also include a requirement for ongoing monitoring as to the sufficiency of security measures.
- Multipartite clauses and the docking clause
According to the new SCCs, multiple data exporting parties may become party to contract, and new parties may be added over time (which is also named as ‘docking clause’) apart from the initial signatories.
The new SCCs reflect requirements of the GDPR and the legislative developments in the field of data privacy. Due to the extraterritorial applicability of the GDPR, the changes to the SCCs also concern Turkish data controller companies that are subject to the GDPR, either by means of offering goods or services to data subjects in the EU or monitoring their behavior as far as their behavior takes place in the EU. Data processing companies will be able to execute new contracts based on old SCCs until 27 September 2021; however, data transfers that rely on old SCCs must be moved over to the new SCCs until 27 December 2022.