What Is Standard Contractual Clauses

The Standard Contractual Clauses for Data Protection Authorities adopted by the European Commission on 4 June 2021 therefore aim to provide a uniform and prima facie legal data protection agreement on which companies and organisations can rely and execute to govern their relationship between the controller and the processor. These decisions aim to provide companies with more comprehensive contractual tools that they can implement before processing or transferring personal data from the EEA in accordance with the new requirements of the GDPR. Unlike the old CCT, which only applied to controller-to-controller (“C2C”) and controller-to-processor (“C2P”) transfers outside the EEA, the new SCCs include various modules that the parties can select and complete depending on the circumstances of the transfer (C2C, C2P, P2P and P2C). In addition, the new CLAs that apply to the transfer of personal data outside the EEA take into account the judgment of the Court of Justice of the European Union (“CJEU”) of 16 July 2020 in the Schrems II case. These will replace the old 2010 Standard Contractual Clauses. The new clauses reflect changes implemented with the eu`s new data protection law, the General Data Protection Regulation (GDPR) of 2018. The GDPR restricts the types of personal data that can be legally transferred. The European Commission has also adopted another decision on a set of standard contractual clauses under Article 28 of the GDPR to be used between controllers and processors established in the EEA. These standard contractual clauses concern the provisions necessary for a data processing contract in accordance with Article 28 of the GDPR and should not be confused with the SCCs which provide safeguards for the transfer of personal data to third countries. Adequacy decision: The recipient company is located in a country whose data protection standards have been deemed “adequate” by the European Commission.

At the time of writing, these countries are: [5] Unlike other frameworks for the transfer of personal data outside the EEA provided for in Articles 46 and 47 of the GDPR, such as.B. Binding Corporate Rules (“BCRs”), approved codes of conduct and certification mechanisms, or ad hoc contractual clauses negotiated in private between controllers and/or processors. All of these mechanisms require or require the intervention of a regulatory authority or a certified/authorised third party to monitor and authorise the transfer of personal data outside the EEA. The European Commission may decide that the standard contractual clauses provide sufficient safeguards for data protection so that data can be transferred internationally. Standard Contractual Clauses (SCCs) aim to protect personal data leaving the EEA and therefore to countries that do not have an adequacy decision and therefore may not provide the same level of security for personal data. The CCT guarantees through contractual obligations that the data is protected to a level required by the GDPR. Although the new standard contractual clauses of 27. In June 2021, the European Commission introduced two grace periods for new CBAs that apply to the transfer of personal data outside the EEA.

The first grace period allows controllers and subcontractors to execute the old CLAs until September 27, 2021. The second grace period allows controllers and subcontractors to rely on the old CLAs operating before September 27, 2021 until December 27, 2022. From the latter date, companies that have relied on old CLAs for the transfer of personal data outside the EEA should be fully switched to the new CLAs. The COLLECTIVE SHALL DEFINE THE RIGHTS AND OBLIGATIONS OF THE CONTROLLER AND THE PROCESSOR WHEN PROCESSING PERSONAL DATA ON BEHALF OF THE CONTROLLER. The clauses aim to ensure that each is GDPR compliant, contain obligations on both sides and set out rights for the individuals whose personal data is transferred. On the one hand, the standard contractual clauses for data protection authorities aim to provide an optional set of clauses that controllers and processors can use to perform contracts in accordance with Article 28 of the GDPR. However, each data protection authority is directly subject to Article 28 of the GDPR and does not require the use of clauses approved by the European Commission or EU supervisory authorities to be valid. In addition, many supervisory authorities have published and published similar DPA templates in order to provide guidance to controllers and processors. [4] However, the standard contractual clauses for data protection authorities adopted by the European Commission may offer additional convenience to companies and organisations involved in the cross-border processing of personal data that cannot rely on the guidelines of their (lead) supervisory authority. You can add additional clauses, and in fact you may have to do so (as we will see below), but these should not conflict with the CCTs. The publication of the final version of the Standard Contractual Clauses, and in particular the new SCC on the transfer of personal data to third countries, was eagerly awaited.

THE COLLECTIVE AGREEMENTS are only valid if they can ensure that personal data is protected in accordance with a standard that complies with the GDPR and the EU Charter of Fundamental Rights. Standard contractual clauses for data transfers between EU and third countries. For data importers who are subcontractors, as modules two and three also include the mandatory clauses of the GDPR, they are likely to be used only for transfers outside the EU to data processors (whereas previously the former CTCs were generally attached to a separate data processing agreement (“DPA”) that included the mandatory clauses of the GDPR). . . .