On 4 June 2021, the European Commission published two new sets of standard contractual clauses (SCCs). The first set is intended to regulate the transfer of data from controllers or processors of the EU/EEA (subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). The second is to provide a framework for the relations between controllers and their processors within the European Union.
SCCs for the transfer of personal data to third countries
The new SCCs for the transfer of personal data to third countries were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as taking into account the CJEU ‘Schrems II’ Judgment, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination impact compliance with the clauses, in particular in case of binding requests from public authorities for disclosure of personal data.
They can now be used by companies, public bodies and associations based in Luxembourg that intend to transfer data which they are required to process to third countries (outside the EU/EEA). However, a transitional period is foreseen in order to continue to invoke the old standard contractual clauses adopted on the basis of Directive 95/46 on data protection until the end of 2022.
The Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
Companies, public bodies and associations based in Luxembourg that use processors from Luxembourg or other EU countries can use these SCCs as "contract templates" to be signed with their processors in order to comply with their processor obligations. However, they remain free to sign contracts not based on these SCCs, provided they comply with the requirements of Article 28(3) GDPR.