'New' SCCs for international data transfers are out now.
Key takeaways:
- The ‘old’ SCCs can still be used for new data transfers for a further period of 3 months following the date the ‘New’ SCCs come into force (27 June 2021).
- Legacy data transfers already underway can continue to use the ‘old’ SCCs for 18 months from the date the ‘New’ SCCs come into force.
- ‘New’ SCCs include a lot of Schrems-II obligations in order to fulfil the requirements set by the CJEU. To fulfil these requirements, organisations are allowed to take a risk-based approach when making the local law assessment of a Third Country and therefore consider the “likelihood” that public authorities would in fact access the exported personal data. The transfer impact assessment needs to be documented and provided to supervisory authorities upon request.
- ‘New’ SCCs follow modular approach, and address controller/controller, controller/processor, processor/processor, and processor/controller transfers. They can be used by non-EEA data "exporters" caught by Art 3(2) GDPR.
- In a nutshell, each conclusion of ‘New’ SCCs needs to be accompanied by a transfer impact assessment. All existing international data transfers using ‘old’ SSCs will need to switch to ‘New’ SCCs over the next 18 months.
For the full published text refer to: https://ec.europa.eu/info/sites/default/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf
Kindly reach out to Mr Vladimiro Comodini ([email protected]) or Mr Francois Ganado ([email protected]) for more information.