About the mySCCcreator
On 4 June 2021, the European Commission (Link) published its final Implementing Decision adopting new standard contractual clauses for the transfer of personal data to third countries ("SCC"). The Implementing Decision will be effective on the 20th day following its publication in the Official Journal of the EU (“OJEU”), meaning that the SCC can be used since 27 June 2021. However, the Commission decisions approving the current SCC will not be repealed for a further three months from that effective date. There is also a transitional provision, stating that contracts using the current standard contractual clauses will provide appropriate safeguards for data transfers for 15 months from that effective date.
When do you need the SCC?
The SCC can be used whenever the exporting party is subject to the GDPR – even if the data exporter is not established in the EU. If a controller is subject to the GDPR on an extra-territorial basis, for example, because it is apparent that it intends to offer goods and services to data subjects in the EU (i.e. Art. 3 (2)(a) of the GDPR), and that controller wishes to transfer EU personal data to a processor, it could now use the SCC to do this.
What do the SCC cover?
Compared to the old SCC, which provided two controller-to-controller sets and one controller-to-processor set, the new SCC take a modular approach. The SCC can be used for the following transfers:
- Module 1: From a controller to another controller (C2C)
- Module 2: From a controller to a processor (C2P)
- Module 3: From a processor to a processor (P2P)
- Module 4: From a processor to its appointing controller (P2C)
Please note that the Fieldfisher mySCCcreator is for information purposes only and its use does not constitute legal advice in particular. It should be noted that the provided document does not constitute a legally binding agreement, for example, the annexes to the SCC must still be completed by the parties involved for the individual case. Annex 1 covers the description of the transfers, Annex 2 deals with the technical and organizational security measures implemented to protect the transferred data and Annex 3 sets out a sub-processor list, and is intended for use where the data importer must receive specific authorization from the data exporter to appoint sub-processors.
For specific legal queries, we recommend that you seek the advice of one of our experts.