New Standard Contractual Clauses for transfers of personal data outside the EU/EEA

On 4 June 2021, the European Commission issued new Standard Contractual Clauses (“SCC”) for use in the transfer of personal data outside the EU/EEA, which e.g. may be for a (sub) data processor in the United States.
News
GDPR

Following the decision in the Schrems II case, SCC’s have increasingly been used as a legal basis for transfers of personal data from EU/EEA to third countries. The purpose of using the SCC as a basis for transfer is to ensure that the person to whom personal data relates is guaranteed the same rights over his personal data as if this personal data were only processed in the EU/EEA.

The European Commission has now issued modernized SCC’s, which to a greater extent than the previous Standard Contractual Clauses can help to ensure that the person's rights can continue to be enforced at the same level as provided for in the GDPR.

The new SCC’s can be used both for transfers between data controllers, from a data controller to a data processor and - as something new - for transfers between a data processor and a subprocessor outside the EU. The latter has been a major shortcoming of the current SCC’s, and it will make the paperwork significantly easier, when a data processor uses subprocessors outside the EU/EEA.

These modernized SCC’s replace the three previous sets of SCC’s adopted under the previous Data Protection Directive 95/46/ EC of 24 October 1995. Already established SCC’s based on the previous version remain valid for 18 months. Thereafter, new agreements must be based on the new SCC’s.

The new SCC’s contain, among other things, provisions on the supremacy of the SCC’s as well as the obligations of the transfer actors in all transfer scenarios from a data exporter within an EU/EEA country to a data exporter outside an EU/EEA country. Thus, the new SCC’s illustrate a desire for the EU to ensure the protection of EU citizens' personal data, which has otherwise been implemented through the GDPR.

The following are typical examples of situations where the new SCC’s apply:

  1. Transfer of personal data from a data controller in an EU/EEA country to a data controller in a third country
  2. Data processing for a data controller in an EU/EEA country to a data processor in a third country
  3. Data processing for a data processor in an EU/EEA country to a subprocessor in a third country

It is important to pay special attention when using cloud providers or IT support provided outside the EU/EEA, as such situations will also have to be regulated by the SCC if de facto or possible access to personal data is provided.

If you have questions about the new Standard Contractual Clauses or questions on how they will affect your company, please do not hesitate to contact Associate Partner, Attorney Torsten Hylleberg on +45 33 300 252 or  thy@les.dk.

Contact
Torsten Hylleberg
Partner
Attorney

Related news

See all news
News

The Danish Data Protection Agency focuses on the processing of personal data in online competitions

In a recent case, the Danish Data Protection Agency has decided on a company’s processing and transfer of personal data in connection with offering competitions and questionnaires online.
GDPR
News

European Data Protection Agencies increase focus on cookie solutions and the use of Google Analytics

The Danish Data Protection Agency and other European data protection agencies currently have a strong focus on whether companies’ cookie solutions comply with the rules in the GDPR. It includes e.g. solutions within Google Analytics and IAB’s standard solution for cookies and advertisements, Transparency and Consent Framework (TCF), where there are many indications that Danish companies may prepare for alternative solutions.
GDPR
News

Lund Elmer Sandager strengthens its partnership with two new partners from its own ranks

It is a great pleasure that Attorney Sebastian Rungby and Attorney Torsten Hylleberg will both take up the roles as partners in Lund Elmer Sandager with retroactive effect from 1 January 2022.
GDPR
News

The Danish Data Protection Agency propose for large GDPR fines

During the summer of 2021, the Danish Data Protection Agency has imposed fines on three public authorities and two private companies in the range of DKK 150,000 – 600,000 for violating the GDPR legislation. The new size of the fines emphasizes the importance of companies ensuring an adequate level of security when processing personal data.
GDPR
News

COVID-19: Restaurants and cafés are encouraged to register visiting guests

On September 7 2020, the Government held a press conference on COVID-19, in which Minister of Health Magnus Heunicke requested that restaurants and cafés offer their visiting guests the possibility to register their contact information. A request that aims to increase contact tracing as the number of people infected with covid-19 is increasing, but at the same time raises some data protection law issues for you as a restaurateur or café owner.
GDPR
News

The Danish Data Protection Agency fines job agency for GDPR breach

The Danish Data Protection Agency (In Danish: Datatilsynet) states that companies must avoid deleting personal data if the right for access is requested.
GDPR