22nd September 2021

New rules for data transfers outside the EU

What exactly are SCCs and why is it important?

The transfer of personal data to countries outside the EU (or the EEA) is only possible to countries which the EU has recognised by special decision as providing an adequate level of protection. Recently this has happened in relation to transfers to Great Britain or Japan, for example.
Transfer to other countries outside the EU is in principle only possible if appropriate guarantees for the protection of personal data by the data exporter and importer are established. And it is the SCC that is the basic and by far the most widespread tool in practice for creating such appropriate guarantees under the GDPR.
SCCs are a model binding text of a contract between an EU data exporter (controller or, more recently, a personal data processor and a data recipient from a third country (controller or processor)), the text of which is issued by the European Commission.

What has changed?

In June 2021, the European Commission issued new SCCs to replace the original SCCs (last updated in 2010), both in light of the new GDPR requirements and, in particular, in response to European court decisions on the transfer of personal data to the US (phasing out the Safe Harbour transfer mechanism and, subsequently, the Privacy Shield). 
 A fundamental conceptual change is the extension of the scope of new SCCs based on a modular approach. The new SCCs regulate four different clause modules in one set, which, in addition to the standard relations between the data exporter and importer (controller – controller and controller – processor), now also completely modify the processor – processor and processor – controller relations. The exporter and importer of the data must choose the appropriate module according to their relationship, select the relevant provisions, and fill in and conclude the clauses and their annexes.
In addition, the new SCCs introduce more detailed and some entirely new obligations for exporters and importers, and significantly strengthen the rights of data subjects related to transfers and their enforcement, allow access to other parties, or adjust more detailed security or control obligations.

What do you have to do and when?

All controllers and processors must immediately verify whether and, if so, on what legal basis, they transmit or share personal data (e.g. on their employees, customers or visitors to their websites) outside the EU.
If they use the original SCC for such transfers, they must take the following steps as data exporters:
  • The old original version of the SCC can be used only until 27 September 2021. From 27 September 2021, only new SCCs may be used for newly concluded relationships connected with the transfer of data outside the EU
  • By 27 December 2021 at the latest you must replace the original concluded old SCC and conclude a new SCC with the data importers

What are the possible penalties?

If you do not start using the new SCCs or replace the original SCCs by the above deadlines at the latest, further transmission based on them will be illegal. In such a case, you will not only face high fines from the relevant supervisory authorities (including foreign ones), but you will also be directly liable for damage or other harm (caused by the importer) to the natural persons directly affected.

For more information, please, contact

Radek Matouš | Principal Associate | Eversheds Sutherland, Prague

Members of the American Chamber of Commerce in the Czech Republic