Changes to the GDPR Standard Contractual Clauses (SCC) and Data Transfer Rules

Introduction: The New SCCs and Their Impact on Companies

The GDPR Standard Contractual Clauses (SCCs), issued by the EU in 2021, affect a wide range of companies, as any business that transfers personal data to third countries outside the EU must revise its data transfer agreements. These rules apply to both data controllers and data processors.

SMEs and Legal Compliance

Small and medium-sized enterprises (SMEs) are particularly lagging in compliance, and the introduction of the new rules may further complicate the process. The new SCC modules bring several innovations that may significantly reshape companies' data processing practices.

The New SCC Modules and Their Application

Instead of the previous clauses that applied only to controller-processor relationships, four separate modules have now been introduced, each governed by distinct rules. These new rules also consider situations where a processor transfers data to another processor or a processor to a controller. Additionally, the new SCCs allow multiple parties to enter into data transfer agreements, reflecting complex business realities.

Access by Third Country Intelligence Services and the Need for Safeguards

The new SCCs require companies transferring data to consider the access rights of intelligence services and authorities in third countries. The rules prescribe strict safeguards in the event that a public authority submits an access request, thereby ensuring the protection of personal data.

Costs and Resource Implications for Companies

The implementation of the new rules may entail significant costs and resource allocation, as substantial changes might be necessary to ensure data protection compliance. The use of the new SCCs has been mandatory since 27 December 2022, but regular compliance checks are advisable due to the ongoing need for monitoring.

Contract Amendments and Introduction of Internal Procedures

Implementing the rules requires not only amending contracts but also introducing new internal procedures and, in some cases, conducting data transfer impact assessments. Based on the European Court of Justice’s Schrems II decision, companies may need to adopt additional technical measures—such as encryption—alongside contractual safeguards to ensure adequate protection of personal data.