New standard contractual clauses for data transfers between EU and non-EU countries

New standard contractual clauses for data transfers between EU and non-EU countries

Does your business transfer personal data from the EU to third countries?

On 4 June, the European Commission published its long-awaited decision adopting new SCCs for the transfer of personal data from the EU to third countries. The new SCCs repealed the existing SCCs and reflect the requirements of the GDPR.

Key updates include:

  • Four different types of transfer are recognised, including ‘processor to processor’ and ‘processor to controller’, as opposed to two
  • Controllers and processors can consult a new document to identify the appropriate clauses that apply on a modular basis
  • A ‘docking clause’ mechanism allows additional parties to be added to the contract
  • A mechanism addressing the Schrems II judgement is included

Data exporters now have three months to stop using the legacy SCCs in any new contracts, and 18 months to ensure their entire portfolio of contracts includes the new SCCs as opposed to the old ones. 

Becky White, data protection and GDPR expert at Harper James Solicitors advises: 'Although the new SCCs address some key deficiencies in the previous set, businesses are now under some pressure to react.  Those transferring data from the EU to third countries now have 18 months to review their full suite of commercial contracts, and migrate them to the new SCCs where appropriate.  When it comes to new contracts, businesses have only three months to stop using the legacy SCCs altogether, this should be factored into ongoing negotiations as soon as possible. Due to Brexit, the position for UK data exporters transferring data to third countries is unaffected by the publication of the new SCCs due and transfers will continue to be based on the legacy SCCs, although the ICO has confirmed it intends to consult on new UK SCCs shortly.'

Our new guide covers the changes to SCCs in more detail and includes some suggestions on how to approach a contract remediation project. If you'd like help with any aspect of understanding and complying with GDPR, get in touch with our friendly and knowledgeable experts.

Our data protection expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry