• Gdpr
  • September 10, 2021

GDPR Update – New Standard Contractual Clauses have been issued by the European Commission

lawbite

By Lawbite Team

Get Quote Free Legal Help
article
In this article, we explain the impact that the new Standard Contractual Clauses (SCCs) recently issued by the European Union will have on businesses in the UK. 
We will also consider the impact the issue of the new SCCs has on the use of Transfer Impact Assessments (TIAs).


What is new?

The General Data Protection Regulation 2016 (GDPR) governs the transfer of personal data to countries outside of the European Economic Area (EEA). 
Countries outside the EEA are known as third countries - this now includes the UK. 
Safeguards have been put in place to protect the transfer of personal data into third countries that do not contain adequate levels of data protection. The most common method to deliver these safeguards is to use Standard Contractual Clauses.

On 4 June 2021, the European Commission adopted new SCCs

These replace the “old” version adopted under the previous legislation and they came into force on 27 June 2021. The old SCC’s can only be used for a period of three months after this date. However, there is an additional 15-month transitional period where the old SCCs can be used where they have already been incorporated into contracts. This period runs out on 27 December 2022. 
As a UK business, you may see these new Standard Contractual Clauses already appearing in contracts originating from EU countries.


What happens to businesses working under the UK GDPR?

The new SCCs have not yet been adopted into the UK GDPR. Businesses working under the UK GDPR rules will still need to use the old SCCs for data transfers from the UK to non-EEA countries. 
New SCCs are likely to be introduced under the UK GDPR this year. It is hoped that they will be in the same or similar format to the new SCCs. We will update you on any developments in this area as soon as we know more. 


What are the four new types of SCCs?

The new SCCs needed to be adopted due to changes in legislation and new case law.. The new SCCs feature a modular structure of clauses that data exporters will use based on the nature of their roles and responsibilities in relation to the data transfer in question:

  1. Controller-to-Controller, 
  2. Controller-to-Processor
  3. Processor-to-(Sub-)Processor and 
  4. Processor-to-Controller 


Modular content

The new Standard Contractual Clauses contain content that is applicable to all four types of data transfer arrangements listed above, and the new SCCs also contain modular content. 
The modular content is only applicable to specific types of data transfers. Businesses will need to work through the new SCCs to delete the modular content that is not applicable to the data transfers in question. Multi-parties and new ‘docking’ arrangements
The new SCCs are designed to be used by multiple parties. These new SCCs also provide for changes to be made over time including allowing for new parties to join into the SCCs by using a "Docking Clause". 


Data Processing Agreements

Separate data processing agreements or clauses will no longer be required with the new SCCs, the content of Article 28 of GDPR has been incorporated into the new SCCs.


Transfer Impact Assessments 

It is not sufficient for businesses to simply put in place the new or old SCCs (depending on whether UK GDPR or EU GDPR applies).
Businesses are still required to carry out a transfer impact assessment and make it available to the competent authority on request.  


Final words

As mentioned above, the new SCCs have not yet been adopted into the UK GDPR. 
Businesses working under the UK GDPR will still currently need to use the old SCCs for data transfers from the UK to non-EEA countries. 
UK Businesses may still need to use the new SCCs if they are working with businesses in the EEA or overseas and data transfers are taking place under the EU GDPR. Over time it may be that businesses have two sets of SCCs in their standard contracts; we will need to see what happens with the UK GDPR and the adoption of its own new SCCs.


If you are in any doubt about which set of SCCs to use and whether you should be using the new or old SCCs for data transfers, please do not hesitate to contact LawBite for more guidance.



You can get legal assistance from LawBite 

We understand that GDPR compliance can be difficult to navigate – with all those new rules and ongoing processes to comply with. Every business is unique so a one-size approach doesn’t work for everybody. At LawBite, our lawyers will work with you speedily and affordably to understand what your business needs and agree on a pathway to compliance.
LawBite online lawyers and online solicitors provide expert legal advice on all commercial and business matters. Book a non-commit 15-minute call with our friendly lawyers today or learn more by joining LawBite for free.


Additional useful information




In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.



Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By Lawbite Team
  • November 08, 2021
Who Needs a Data Representative in the EU for GDPR Compliance?

Obtaining a GDPR Data Representative in the EU for GDPR compliance is an important consideration that you, as a business owner, must think about.  ...


Gdpr
blog image
  • By Lawbite Team
  • September 20, 2021
How to Gain Consent Under the GDPR

Even several years after the introduction of the General Data Protection Regulations (GDPR) in 2018, there is still a lack of understanding about h...


Gdpr
blog image
  • By Lawbite Team
  • September 15, 2021
How to Run a Data Subject Access Request (SAR)

Whether you are a small, medium, or large organisation, receiving a subject access request (SAR) or data subject access request (DSAR) and handling...


Gdpr

LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Get Quote

Start
defend a claim

Essentials Plan