Contracts entered into prior to Sept. 27 will need to be amended to adopt the new standard contractual clauses by Dec. 27, 2022.
As of Sept. 27, entities entering new contracts that are subject to the General Data Protection Regulation (“GDPR”) must use the European Commission’s updated Standard Contractual Clauses (“SCCs”).
From this point forward, the E.U. expects entities to use the following two sets of SCCs. First, if an entity is involved in the international transfer of data from the European Economic Area (“EEA”), they must use the SCCs linked here. Second, if an entity is involved in the transfer of data within the EEA, they must use the SCCs linked here.
Contracts entered into prior to Sept. 27 may continue to rely on the old SCCs, but only until late next year. Such contracts that continue to rely on the old SCCs must replace them with the new SCCs by Dec. 27, 2022.
Background and Context
This past summer, the European Commission updated their SCCs to better align with the E.U.’s GDPR and address the post Schrems II legal landscape.
In Schrems II, the Court of Justice of the European Union famously struck down the E.U. - U.S. Privacy Shield. The Court also called into question the validity of the old SCCs. To address the concerns the Court raised, the European Commission adopted the new SCCs.
The first set of new SCCs are familiar as they relate to the traditional transfer of personal data from geographic locations in the EEA to geographic locations outside of the EEA. The second set of new SCCs are brand new, and specifically cover the engagement of data processors in the EEA when there is no transfer of data to a geographic location outside of the EEA. See our earlier, more in-depth analysis of how the SCCs changed here.