On 4 June 2021, The European Commission adopted new standard contractual clauses (SCCs) for use between controllers and processors and for the transfer of personal data to third countries—that is, countries that the European Union (EU) has not found to have sufficiently protective privacy laws.

Some of the biggest innovations are:

Updating the SCCs to be in line with the General Data Protection Regulation (GDPR);

– Having a single entry-point for a broader range of transfer scenarios instead of requiring organizations to use separate sets of clauses;
– Creating flexibility by using a modular approach to the clauses and letting multiple parties join and use them, designed in particular for complex data processing chains with subprocessors and sub-subprocessors;
– Creating a ‘practical toolbox’ to comply with the requirements of the Schrems II judgment, which invalidated the EU–U.S.  Privacy Shield last year, such as by providing examples of supplementary measures companies can take to increase security of processing.

Companies may continue to enter into contracts using the previous SCCs until 27 September 2021, and contracts using the SCCs will be valid for 18 months (i.e., new ones must be entered into by December of 2022).

You can access the full European Commission update here. The publication of the decision is published in the Official Journal of the European Union here. SixFifty will roll out its GDPR toolset update before the sunset of the prior SCCs.

Join us for a webinar on June 29th, 10 am PT, as we discuss this in further detail.