New standard contractual clauses for data transfers between EU and non-EU countries

9 June 2021 | Legal updates

Does your business transfer personal data from the EU to third countries?

On 4 June, the European Commission published its long-awaited decision adopting new SCCs for the transfer of personal data from the EU to third countries. The new SCCs repealed the existing SCCs and reflect the requirements of the GDPR.

New standard contractual clauses for data transfers between EU and non-EU countries

Key updates include:

  • Four different types of transfer are recognised, including ‘processor to processor’ and ‘processor to controller’, as opposed to two
  • Controllers and processors can consult a new document to identify the appropriate clauses that apply on a modular basis
  • A ‘docking clause’ mechanism allows additional parties to be added to the contract
  • A mechanism addressing the Schrems II judgement is included

Data exporters now have three months to stop using the legacy SCCs in any new contracts, and 18 months to ensure their entire portfolio of contracts includes the new SCCs as opposed to the old ones. 

Becky White, data protection and GDPR expert at Harper James Solicitors advises: ‘Although the new SCCs address some key deficiencies in the previous set, businesses are now under some pressure to react.  Those transferring data from the EU to third countries now have 18 months to review their full suite of commercial contracts, and migrate them to the new SCCs where appropriate.  When it comes to new contracts, businesses have only three months to stop using the legacy SCCs altogether, this should be factored into ongoing negotiations as soon as possible. Due to Brexit, the position for UK data exporters transferring data to third countries is unaffected by the publication of the new SCCs due and transfers will continue to be based on the legacy SCCs, although the ICO has confirmed it intends to consult on new UK SCCs shortly.’

Our new guide covers the changes to SCCs in more detail and includes some suggestions on how to approach a contract remediation project. If you’d like help with any aspect of understanding and complying with GDPR, get in touch with our friendly and knowledgeable experts.

A national law firm

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

Floor 2, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
10 Fitzroy Square, London, W1T 5HP
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP