The European Commission has issued its first Standard Contractual Clauses (SCCs) under the GDPR. These SCCs are drafted to cover transfers from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA.

The new SCCs will come into effect 20 days after publication in the Official Journal, and will replace the three sets of SCCs that were adopted under the Data Protection Directive 95/46. Organisations will have a 15 month window to migrate to the new SCCs.

The new SCCs are more flexible than the old and are structured to enable the parties to combine the general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern data processing arrangements.

The new SCCs also allow controllers and processors to select the module applicable to their situation, and to refine and align their obligations under the SCCs to the roles and responsibilities in relation to the specific data processing being covered. The annexes give details for different transfer scenarios (controller to controller; controller to processor; processor to processor; processor to controller) and offer appropriate modules, including in relation to data protection safeguards; use of sub-processors; data subject rights; redress; liability; and supervision.

With the EDPB’s recommendations on supplemental measures up for approval and the mid-June plenary meeting, now is the right time for organisations to be thinking about updating transfer mechanisms.