Commission Adopts Model Clauses for International Transfers and Processor Agreements
On 4 June 2021, the European Commission published two Implementing Decisions with model clauses to comply with the General Data Protection Regulation (EU) 2016/679 (the GDPR).
The first decision is likely to have a more significant impact than the second for many organisations. The European Commission adopted new standard contractual clauses for the transfer of personal data to third countries outside the EU/EEA (the Transfer SCCs). Compared to the current SCCs, the new Transfer SCCs provide more flexibility in the situations that they cover and the parties that are covered by the clauses. In addition, the new Transfer SCCs provide more legal certainty in view of the recent case law of the Court of Justice of the European Union, including the Schrems II case. Organisations that rely on older versions of the SCCs for their international transfers now have 18 months to replace these with the new Transfer SCCs (or other measures that are permitted under the GDPR).
The second decision contains a set of model clauses that can be used between controllers and processors (the Processor Clauses). In particular, Article 28 of the GDPR requires data controllers to put in place a data processing agreement (or other legal act) when outsourcing data processing activities to a data processor, and sets forth the data protection obligations that must be covered by such data processing agreement. The use of the Processor Clauses is optional and organisations can still continue to use their own processor agreements, provided that these comply with Article 28 of the GDPR.
Please click on the link below to read our note on both sets of model clauses.
Related insightsSign up for updates