Please ensure Javascript is enabled for purposes of website accessibility

People

Big things are happening at Ogier. Change is embedded in everything we do. It is redefining our talent, our ways of working, our platforms of delivery, our culture.

Expertise

Services

We have the expertise to handle the most demanding transactions. Our commercial understanding and experience of working with leading financial institutions, professional advisers and regulatory bodies means we add real value to clients’ businesses.

View all Services

Employment law

Intellectual Property

Listing services

Restructuring and Insolvency

Business Services Team

Executive Team

German Desk

Accounting and Financial Reporting Services

Cayman Islands AML/CFT training

Corporate Services

Debt Capital Markets

Governance Services

Investor Services

Ogier Connect

Private Wealth Services

Real Estate Services

Regulatory and Compliance Services

Ogier Global

Consulting

View all Consulting

Sustainable Investment Consulting

LexTech - Technology Consultants

Business Services Team

View all Business Services Team

Sectors

Our sector approach relies on smart collaboration between teams who have a deep understanding of related businesses and industry dynamics. The specific combination of our highly informed experts helps our clients to see around corners.

View all Sectors

Aviation and Marine

BVI Law in Europe and Asia

Energy and Natural Resources

Family Office

Foreign direct investment (FDI)

Funds Hub

Private Equity

Real Estate

Restructuring and Insolvency

Sustainable Investing and ESG

Technology and Web3

Trusts Advisory Group

Locations

Ogier provides practical advice on BVI, Cayman Islands, Guernsey, Irish, Jersey and Luxembourg law through our global network of offices across the Asian, Caribbean and European timezones. Ogier is the only firm to advise on this unique combination of laws.

News and insights

Keep up to date with industry insights, analysis and reviews. Find out about the work of our expert teams and subscribe to receive our newsletters straight to your inbox.

Fresh thinking, sharper opinion.

About us

We get straight to the point, managing complexity to get to the essentials. Our global network of offices covers every time zone. 

No Content Set
Exception:
Website.Models.ViewModels.Components.General.Banners.BannerComponentVm

GDPR - EU Commission adopts new Standard Contractual Clauses

Insight

22 June 2021

Luxembourg Legal Services

ON THIS PAGE

On Friday, 4 June, the European Commission took a further step to reinforce legal certainty under the GDPR by adopting two new sets of Standard Contractual Clauses (SCCs), intended to allow safe and free cross-border data transfers.

The SCCs come in the form of implementing decisions under the GDPR[1] and provide tools for:

  • data transfers between controllers and processors[2], and
  • transfers of personal data to third countries[3].

While both provide a useful tool for businesses to ensure compliance with data protection safeguards, adoption of the latter was highly anticipated in the aftermath of the Schrems II judgement of the Court of Justice of the European Union (CJEU). This judgement declared the EU Commission's decision on the adequacy of data protection provided by the EU-US Privacy Shield invalid[4]. Although this confirmed the validity in principle of the previous set of SCCs[5], upgrades have become necessary to ensure a level of protection equivalent to the one guaranteed within the EU by the GDPR.

(Please also refer to our previous briefing on the Schrems II judgement here.)

Besides a general update of the SCCs in line with the GDPR, the key points of the new SCCs highlighted by the EU Commission are:

  • "One single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses".
  • "More flexibility for complex processing chains, through a 'modular approach' and by offering the possibility for more than two parties to join and use the clauses".
  • "Practical toolbox to comply with the Schrems II judgement, ie an overview of the different steps companies have to take to comply with the Schrems II judgement as well as examples of possible 'supplementary measures', such as encryption, that companies may take if necessary".

The new SCCs will enter into force on 27 June 2021. Previous versions of the SCCs will remain applicable in parallel to the new version until 27 September 2021. During a transition period of 15 months after the entry into force of the new SCCs, data transfer contracts to third countries concluded before 27 September 2021 on the basis of previous versions of the SCCs shall be deemed to provide appropriate safeguards within the meaning of Article 46(1) of the GDPR until 27 December 2022, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures the transfer of personal data is subject to appropriate safeguards.

What does this mean in practice?

The new version of the SCCs has added some welcome updates; controllers that are transferring personal data to third countries now have a more precise and flexible tool.

However, to remain compliant, in the absence of an adequacy decision covering a data transfer to a certain third country, data controllers will still be obliged to undertake, on a case-by-case basis, an impact assessment to determine whether the new SCCs alone effectively provide for appropriate safeguards against potentially undermining laws or practices of the third country. Should this not be the case, additional safeguards will need to be put in place, following the guidance provided by the CJEU in the Schrems II case and the recommendations subsequently issued by the European Data Protection Board[6].

 


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

[2] Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on SCCs between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council

[3] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

[4] Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield

[5] 2010/87/EU: Commission Decision of 5 February 2010 on SCCs for the transfer of personal data to processors established in third countries under Directive 95/46, as amended; and

2001/497/EC: Commission Decision of 15 June 2001 on SCCs for the transfer of personal data to third countries, under Directive 95/46/EC 

[6] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice

No Content Set
Exception:
Website.Models.ViewModels.Blocks.SiteBlocks.CookiePolicySiteBlockVm