Important Updates For Businesses That Transfer Data From Europe: European Commission Adopts New Standard Contractual Clauses

Womble Bond Dickinson

Womble Bond Dickinson

Top 3 Takeaways

On Friday, June 4, 2021, the European Commission adopted two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to “third countries” (i.e., countries outside the EEA). We highlight three key points for the cross-border clauses.

1. What are the timelines for using the new clauses?

Existing transfers: Parties can continue to rely on the old clauses for up to 18 months (until December 27, 2022) as long as the processing operations remain unchanged and the use of the clauses ensures the transfer of personal data is subject to adequate safeguards (e.g., continue to consider post-Schrems II risk assessments and related factors).

New transfers: Parties can use the old clauses for 3 months (until September 27, 2021) for new transfers. After that, parties will need to use the new clauses.

2. What are the key changes?

According to the European Commission, the new clauses address the following:

  • Updates in line with the General Data Protection Regulation (note the old clauses pre-dated the GDPR)
  • One set of clauses to address multiple transfer scenarios (versus different sets of clauses depending on the transfer); this expands the types of scenarios covered to include processor-to-processor and processor-to-controller transfers in addition to the previously covered controller-to-controller and controller-to-processor transfers
  • Flexibility to add more than two parties to the clauses (to address complex data processing scenarios)
  • A toolbox to comply with Schrems II requirements

3. What should I do next?

Parties using the old clauses should take steps to update their contracts to the new clauses. The timeframe to complete this task will depend on whether the data transfer activities remain the same or plan to change.
Some entities that were previously unable to use the clauses now have the option to use them (processor-to-processor and processor-to-controller). In those cases, the parties can assess if they should enter into the new clauses to facilitate cross-border transfers. If you make changes to your cross-border data transfer compliance approach, then don’t forget to update your policies and procedures to reflect these changes (such as your website privacy notices or internal process documents).

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Womble Bond Dickinson | Attorney Advertising

Written by:

Womble Bond Dickinson

Womble Bond Dickinson on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.