New sets of Standard Contractual Clauses (SCCs)
On 4th June 2021 the European Commission issued two new sets of standard contractual clauses (SCCs).
As it is well known, these contractual clauses serve to ensure appropriate data protection safeguards for data processing and data transfers. As the SCCs adopted under the previous Data Protection Directive 95/46 became obsolete, European Commission issued modernised SCCs under the Genereal Data Protection Regulation (GDPR) in that way replacing the existing ones. For example, with new SCCs are prescribed additional obligations for processors, data imporetes, as well as data security obligations, data retention restrictions, etc.
As we mantioned, there are two new sets of SCCs issued by European Commisson:
- SCCs for use between controllers and processors (Data Processing SCCs)
- SCCs for cross-border data transfers to third countries (Data Transfer SCCs).
Data Processing SCCs & Data Transfer SCCs
- Data Processing SCCs
According to the GDPR, the controller is obliged to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this GDPR and ensure the protection of the rights of the data subject.”
In order to fulfil the above mentioned requirements, European Commission is allowed to develop a template, i.e. model of standard contract clauses. The new SSCs is such a „contract template” developed by European Commission. The use of these clauses facilitates the position of controllers and processors because they can use these clauses instead of drafting their own Data Processing Agreement.
- Data Transfer SCCs
In accordance with the GDPR, any transfer of personal data which are undergoing processing, or are intended for processing after transfer to a third country, or to an international organisation, shall take place only if the prescribed requirements are fulfieled, ie. if the adequate level of protection is provided.
If the new SCCs are applied, it is considered that the controller and the processor have provided an adequate level of protection of the data being transferred in the third country. Also the new Data Transfer SCCs is contract template which may be used by controllers and processors for data transfer to third countries.
Application of new SCCs
Two new sets od SCCs are applicable from 27th June 2021. Meanwhile the old SCCs can be used for new transfers of personal data until 27th September 2021.
We point out that existing transfer of personal data (that is based on old SCCs) can continue until 27th December 2022. So, after this date only new SCCs will be applied.
Meanwhile in Serbia
Earlyer, Serbian Commissioner for information of publlic importance and personal data protection has addopeted one set of Standard contractual clauses (published in Official Gazette 5/20220) regulating only relations between controlor and processor.
It is likely that Serbian Commissioner will in the following period addopt new set of SCCs, in that way harmonising it to the EU regulations. It is to be expected, in particular because on July 16, 2020 the Court of Justice of the European Union issued a judgement no. C-311/18 (known as Schrems II) and disabled the Privacy Shield Framework – the most used mechanism for personal data transfers between the European Union and the United States.