On June 4th, the European Commission issued modernized Standard Contractual Clauses (SCCs) under the EU General Data Protection Regulation (GDPR) for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the EU GDPR) to controllers or processors outside the EU/EEA (and not subject to the EU GDPR).
The modernized SCCs will replace the three sets of SCCs that were adopted under the predecessor of the EU GDPR – Data Protection Directive 95/46/EC – with effect from September 27th, 2021.
From that date, controllers and processors can no longer enter into the European Commission’s ‘old’ SCCs; they can only use the modernized SCCs that were published last June.
Contracts concluded before September 27th, 2021 on the basis of the European Commission’s ‘old’ SCCs will still be deemed to provide appropriate safeguards within the meaning of the EU GDPR until December 27th, 2022 (provided that the data processing captured by the contract remains unchanged). Controllers and processors that are currently not ready to fully comply with the (more onerous) provisions of the modernized SCCs (e.g., in terms of onward data transfers) may therefore prefer to still execute the ‘old’ SCCs before September 27th, 2021.
However, all controllers and processors relying on ‘old’ SCCs that were entered into before September 27th, 2021 will eventually be required to upgrade to the modernized Clauses, or switch to an alternative data transfer mechanism (e.g., Binding Corporate Rules), by December 27th, 2022. This applies to any data transfer for which the SCCs are being used, regardless of whether internal group transfers or transfers to vendors outside the EU/EEA are at stake.