On 4 June 2021, The European Commission adopted new standard contractual clauses (SCCs) for use between controllers and processors and for the transfer of personal data to third countries—that is, countries that the European Union (EU) has not found to have sufficiently protective privacy laws.
Some of the biggest innovations are:
Updating the SCCs to be in line with the General Data Protection Regulation (GDPR);
– Having a single entry-point for a broader range of transfer scenarios instead of requiring organizations to use separate sets of clauses;
– Creating flexibility by using a modular approach to the clauses and letting multiple parties join and use them, designed in particular for complex data processing chains with subprocessors and sub-subprocessors;
– Creating a ‘practical toolbox’ to comply with the requirements of the Schrems II judgment, which invalidated the EU–U.S. Privacy Shield last year, such as by providing examples of supplementary measures companies can take to increase security of processing.
Companies may continue to enter into contracts using the previous SCCs until 27 September 2021, and contracts using the SCCs will be valid for 18 months (i.e., new ones must be entered into by December of 2022).
You can access the full European Commission update here. The publication of the decision is published in the Official Journal of the European Union here. SixFifty will roll out its GDPR toolset update before the sunset of the prior SCCs.
Join us for a webinar on June 29th, 10 am PT, as we discuss this in further detail.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth