15 September 2021

During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?

1. Standard contractual clauses in general

The new standard contractual clauses ("SCC") adopted by the European Commission serve the purpose of making it easier for data controllers or processors subject to the GDPR to comply with the GDPR.

The SCCs are "model contracts" for the processing of data with a predefined content, and if applied, the data processing in question is deemed to be in compliance with the GDPR.

The Commission has issued SCCs in the past, however, they were adopted under the pre-GDPR regulation and have become obsolete due to the entry into force of the GDPR and the consequences of the Schrems II judgment.[1]

2. Data Processing SSC[2]

According to the article 28 of the GDPR, the data processing carried out by the data processor[3] shall be governed by a contract with the content specified in detail in the GDPR, which shall contain, in addition to the characteristics of the data processing (subject, duration, nature and purpose of the processing, etc.), several other obligations applicable to the data processor, including, among others:

  1. the data processor shall only process personal data on the basis of written instructions from the data controller;
  2. the data processor shall ensure that persons authorised to process the data are under an obligation of confidentiality;
  3. the processor shall ensure the security of the data processing, etc.

However, the GDPR allows[4] the Commission to develop "model" SCC that fulfil the above requirements set out in the GDPR.

The new Data Processing SSC is such a "model" contract, which therefore means simplification for data controllers and processors, as they do not have to draft their own data processing contract, but they can use the Data Processing SSC developed by the Commission.

3.Standard contractual clauses for data transfers to third countries[5] ("Data Transfer SCC")[6]

Based on the GDPR, as a general rule, personal data may only be transferred to a third country if the Commission has determined that the third country provides an adequate level of protection.

However, the SCCs adopted by the Commission also constitute an exception to the above strict regulation in this case, as under the GDPR[7], if they are applied, the controller or processor is deemed to provide adequate safeguards and may transfer personal data to a third country even in the absence of a specific authorisation from the Commission.

The new Data Transfer SCC is therefore also a "model" contract that can be used by the parties for transfers to third countries.

4. What are the main differences between the new and old SCCs?

The new SCCs require stricter rules from the parties, with the main new elements including:

  1. additional obligations for data importers, data processors, in line with the GDPR rules, including notification obligations, data retention restrictions and data security obligations;
  2. more flexible rules on multi-party data processing; taking into account that the new SCCs allow third parties to join the SCCs under their "docking clauses";
  3. more flexible options regarding the choice of law and place of dispute resolution governing the SCCs.

It should be highlighted that the Data Transfer SCC regulates the provisions on data transfers between controllers and processors in a new structure, in a modular system. In the new modular system, controllers and processors may use the following four types of contracts, defined by the contractual position of the parties:

  1. Transfers between controllers
  2. Transfers from controller to processor
  3. Transfers between processors
  4. Transfers from processor to controller

A significant novelty is that the Commission has also adopted a set of SCCs (modules) for data transfers between processors and from processor to controller, which were not previously covered, and which will significantly simplify such data transfers.

Can the SCCs be amended or supplemented?

In general, the contracting parties may not modify the SCCs, except for the addition of information on the parties and the characteristics of data processing.

However, the parties may incorporate the SCCs into a broader contract, add other clauses or additional safeguards to the SCCs, provided that they do not directly or indirectly contradict these SCCs and do not adversely affect the fundamental rights or freedoms of data subjects.

5. When do the new SCCs apply?

Both new SCCs is applicable from 27th June 2021 and it is important to note that, according to the decision adopting the Data Transfer SCC, the previous SCCs on this subject will no longer be applicable from 27th September 2021.

However, the Commission Decision also provides a grace period for data controllers and processors in relation to data transfers to third countries,[8] namely that the previous SCCs may be applied until 27 December 2022 at the latest for previously concluded contracts, subject to certain conditions. [9]

From 27 December 2022, only the new SCCs shall be applied.

6. What should you do in view of the publication of the Data Processing SCCs and Data Transfer SCCs?

Data Processing SCC:

As of 27 June 2021, you can use the new Data Processing SCC to your data processing contracts, and both your business and the other party  shall comply with the new, stricter terms.

Data Transfer SCC:

You may maintain contracts already entered into under the previous SCC, with additional appropriate guarantees, until 27 December 2022, provided that the terms and conditions therein remain unchanged, but you have to develop an amendment to these contracts under the new Data Transfer SCC during this transitional period.

In any case, from 27 September 2022, you will have to apply the new SCC to your contracts for data transfers to third countries.


[1] Decision No.C‑311/18. Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

[2] Commission Implementing Decision (EU) 2021/915 Of 4 June 2021 on Standard Contractual Clauses Between Controllers And Processors Under Article 28(7) Of Regulation (EU) 2016/679 Of The European Parliament And Of The Council And Article 29(7) Of Regulation (EU) 2018/1725 Of The European Parliament And Of The Council

[3] a person who processes personal data on behalf of the controller, e.g.: a company's payroll administrator

[4] Section 28(7) of GDPR

[5] non-EEA countries, such as the United States of America

[6] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to regulation (EU) 2016/679 of the European Parliament and of the Council

[7] Section 46(2)(c) of the GDPR

[8] Section 4 of Data Transfer SCC

[9] The processing operations that are the subject of the contract remain unchanged and the reference to those conditions ensures that the transfer of personal data is subject to appropriate safeguards.