Select Page

New Standard Contractual Clauses Modules: A Guide for Businesses

The General Data Protection Regulation (GDPR) has made it mandatory for organizations to adopt measures to protect personal data. One of the measures that organizations use to comply with GDPR is Standard Contractual Clauses (SCCs). SCCs are standardized documents that define the data protection obligations of the processor and the controller when processing personal data. SCCs are an essential component for organizations that are aiming to comply with data protection laws.

Recently, the European Commission has adopted new SCCs modules. These new SCCs modules were published on June 4, 2021, and they replace the previous SCCs modules. The new SCCs modules are expected to address the changes that have taken place since GDPR came into effect in May 2018. The new SCCs modules have been designed to tackle the changes in the legal landscape, such as the Schrems II judgment, which invalidated the Privacy Shield, a framework that was previously used as a legal basis for transferring personal data between the EU and the US.

What Are the New SCCs Modules?

The new SCCs modules are designed to be more flexible, to cater to the needs of different organizations that process personal data. The new SCCs modules have been divided into four different categories:

1. Controller to controller transfers: This module is designed for data transfers between two controllers.

2. Controller to processor transfers: This module is designed for data transfers between a controller and a processor.

3. Processor to processor transfers: This module is designed for data transfers between two processors.

4. Processor to controller transfers: This module is designed for data transfers from a processor to a controller.

The new SCCs modules also contain a modular approach, which allows organizations to choose the clauses that are relevant to their data transfer activities. Organizations can select the clauses that are applicable to their data transfers, which reduces the burden of dealing with complex contractual obligations that may not be relevant to their data transfers.

What Do the New SCCs Modules Mean for Businesses?

The new SCCs modules require organizations to assess their data protection practices and procedures to ensure that they align with the new SCCs requirements. Organizations that process personal data and transfer it to third parties must ensure that they have implemented appropriate technical and organizational measures to protect the personal data.

The new SCCs modules require organizations to carry out risk assessments and identify risks associated with data transfers. Organizations must carry out due diligence on the recipients of personal data to ensure that their personal data is protected. Organizations must also carry out regular audits to ensure that the recipients are complying with the new SCCs requirements.

Conclusion

The new SCCs modules are a welcome development for businesses that process personal data. The modules provide organizations with the flexibility to choose clauses that are relevant to their data transfer activities, reducing the complexity of dealing with contractual obligations that may not be relevant to their data transfers. Organizations must assess their data protection practices and procedures to ensure that they align with the new SCCs requirements. Businesses must also carry out due diligence on the recipients of personal data to ensure that their personal data is protected.

As an organization that processes personal data, it is essential to comply with the GDPR requirements to avoid hefty fines and reputational damage. Adopting the new SCCs modules is a step towards protecting personal data and complying with data protection laws.