New standard contractual clauses for data transfers between EU and non-EU countries

New standard contractual clauses for data transfers between EU and non-EU countries

Does your business transfer personal data from the EU to third countries?

On 4 June, the European Commission published its long-awaited decision adopting new SCCs for the transfer of personal data from the EU to third countries. The new SCCs repealed the existing SCCs and reflect the requirements of the GDPR.

Key updates include:

  • Four different types of transfer are recognised, including ‘processor to processor’ and ‘processor to controller’, as opposed to two
  • Controllers and processors can consult a new document to identify the appropriate clauses that apply on a modular basis
  • A ‘docking clause’ mechanism allows additional parties to be added to the contract
  • A mechanism addressing the Schrems II judgement is included

Data exporters now have three months to stop using the legacy SCCs in any new contracts, and 18 months to ensure their entire portfolio of contracts includes the new SCCs as opposed to the old ones. 

Becky White, data protection and GDPR expert at Harper James Solicitors advises: 'Although the new SCCs address some key deficiencies in the previous set, businesses are now under some pressure to react.  Those transferring data from the EU to third countries now have 18 months to review their full suite of commercial contracts, and migrate them to the new SCCs where appropriate.  When it comes to new contracts, businesses have only three months to stop using the legacy SCCs altogether, this should be factored into ongoing negotiations as soon as possible. Due to Brexit, the position for UK data exporters transferring data to third countries is unaffected by the publication of the new SCCs due and transfers will continue to be based on the legacy SCCs, although the ICO has confirmed it intends to consult on new UK SCCs shortly.'

Our new guide covers the changes to SCCs in more detail and includes some suggestions on how to approach a contract remediation project. If you'd like help with any aspect of understanding and complying with GDPR, get in touch with our friendly and knowledgeable experts.

Our data protection expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is a highly experienced commercial lawyer, specialising in Data Protection and Privacy Law matters. She trained in at DAC Beachcroft in the City of London nearly 20 years ago, and then spent most of her career working in-house as the senior or sole legal adviser in a variety of sectors including Construction and Engineering, Oil and Gas, Government and Recruitment.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
Floor 2, Cubo, 38 Carver Street, Sheffield, S1 4FS
A national law firm

To access legal support from just £140 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry