BHBIA & MEMBER NEWS

Back to News List

BHBIA NEWS

Data Protection News - New EU Standard Contractual Clauses (SCCs)

June 9th, 2021

The European Commission (EC) published new SCCs on 4 June 2021. The updated SCCs bring them in line with the GDPR and recent European Union Court of Justice (CJEU) judgements.  https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847

The new SCCs are for data transfers from controllers or processors in the EU/EEA (or subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR – often referred to as a ‘third country’). The EC’s statement explains: “the controller or processor transferring the personal data to a third country (the ‘data exporter’) and the controller or processor receiving the personal data (the ‘data importer’) are free to include those SCCs in a wider contract and to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the SCCs or prejudice the fundamental rights or freedoms of data subjects.”

The new SCCs (https://ec.europa.eu/info/sites/default/files/1_en_act_part1_v5.pdf) are described as ‘modular’ and cater for four modules or transfer scenarios:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

Within the Annex (https://ec.europa.eu/info/sites/default/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf), supporting explanations (referred to as ‘recitals’) detail how exporters and importers should use the new SCCs and provide different scenarios and appropriate modules.

It is important to note that the new SCCs require both parties to the SCCs and the competent supervisory authority to assess the recipient's ability to comply with the SCCs (in line with the July 2020 Schrems II CJEU judgement).
Organisations may continue to use the current SCCs until 27 September 2021, but must transition to the new SCCs by 27 December 2022.

In the UK 

The new SCCs will not apply for transfers of personal data from the UK to a third country. Data exports from the UK should continue to be based on the old/legacy SCCs until the UK’s Information Commissioner’s Office (ICO) publishes its own SCCs (which won’t be for several months) or recognises the new EU SCCs (which is under consideration). This would minimise the need to put both EU and UK SCCs in place to cover identical transfers from the two regions to a third country.

In view of the fact that the EU’s draft UK adequacy decisions have not yet been finalised and have recently been criticised by the European Parliament's civil liberties committee, we recommend members consider their need to put the new EU SCCs in to place and carefully monitor the news on adequacy and SCCs. 

The BHBIA’s Ethics & Compliance Committee will keep you informed of any updates.


The BHBIA’s Ethics & Compliance Committee is providing this guidance as general information for its members. It is not legal advice and should not be relied upon as such. Specific legal advice should be taken in relation to any specific legal problems or matters. Whilst every reasonable effort is made to ensure the information is accurate, no responsibility for its accuracy or for any consequences of relying on it is assumed by the BHBIA.