The transfer of personal data to countries outside the EU (or the EEA) is only possible to countries which the EU has recognised by special decision as providing an adequate level of protection. Recently this has happened in relation to transfers to Great Britain or Japan, for example.

Transfer to other countries outside the EU is in principle only possible if appropriate guarantees for the protection of personal data by the data exporter and importer are established. And it is the SCC that is the basic and by far the most widespread tool in practice for creating such appropriate guarantees under the GDPR.

SCCs are a model binding text of a contract between an EU data exporter (controller or, more recently, a personal data processor and a data recipient from a third country (controller or processor)), the text of which is issued by the European Commission.

In June 2021, the European Commission issued new SCCs to replace the original SCCs (last updated in 2010), both in light of the new GDPR requirements and, in particular, in response to European court decisions on the transfer of personal data to the US (phasing out the Safe Harbour transfer mechanism and, subsequently, the Privacy Shield). 

 A fundamental conceptual change is the extension of the scope of new SCCs based on a modular approach. The new SCCs regulate four different clause modules in one set, which, in addition to the standard relations between the data exporter and importer (controller – controller and controller – processor), now also completely modify the processor – processor and processor – controller relations. The exporter and importer of the data must choose the appropriate module according to their relationship, select the relevant provisions, and fill in and conclude the clauses and their annexes.

In addition, the new SCCs introduce more detailed and some entirely new obligations for exporters and importers, and significantly strengthen the rights of data subjects related to transfers and their enforcement, allow access to other parties, or adjust more detailed security or control obligations.

All controllers and processors must immediately verify whether and, if so, on what legal basis, they transmit or share personal data (e.g. on their employees, customers or visitors to their websites) outside the EU.

 

If you do not start using the new SCCs or replace the original SCCs by the above deadlines at the latest, further transmission based on them will be illegal. In such a case, you will not only face high fines from the relevant supervisory authorities (including foreign ones), but you will also be directly liable for damage or other harm (caused by the importer) to the natural persons directly affected.