Last week, the European Commission (EC) adopted a set of new standard contractual clauses, one of which included standard contractual clauses for the transfer of personal data to third countries (New EU SCCs). The EC also adopted a set of SCCs for use between controllers and processors pursuant to Article 28(7) of the EU GDPR.
The New EU SCCs follow a ‘modular’ approach, allowing for specific sets of clauses to be used for controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller personal data transfers, as well as to allow for more than two parties to join. The New EU SCCs also take into account the Schrems II judgement as, for example, both the data exporter and data importer are required to warrant that they have carried out an assessment of the local laws in the jurisdiction in which the personal data is to be transferred to. Additionally, the parties will be required to document such assessment and make it available to a data protection supervisory authority on request.
Businesses will have 18 months to update all contracts incorporating the old standard contractual clauses for personal data transfers outside the EU, with the New EU SCCs.
We expect to see the ICO confirm its position regarding the UK standard contractual clauses for personal data transfers outside the UK fairly soon following this development. The ICO recently announced that it was working on bespoke UK standard contractual clauses, with a view to publish a draft for public consultation this summer. The ICO also stated it may recognise the New EU SCCs as a valid transfer mechanism under the UK GDPR.