Advocate General’s opinion upholds the legality of Standard Contractual Clauses
The legality of standard contractual clauses as a valid and compliant mechanism for the cross-border transfers of personal data outside of the EEA was tested in the most recent development in the Schrems series of cases, Schrems II.
The Advocate General published his opinion today, providing that standard contractual clauses are compliant with the GDPR and EU Charter of Fundamental Rights.
How to transfer personal data outside of the EEA?
The general rule under GDPR is that personal data can only be exported by a company established in the EU to a non-EU/EEA company provided transfers are based on an “adequacy decision” within the meaning of Article 44 of the GDPR. Unless, specific derogations can be met, enabling an EU company to transfer personal data from the EU to a non-EU/EEA processor.
These derogations can be split into 2 categories:
- Specific legal basis for transferring under the GDPR; and
- The controller “adduces adequate safeguard” for the transfer, in particular in the form of standard contractual clauses (SCCs).
What are SCCs?
SCCs are standard sets of contractual terms and conditions which the sender (based within the EU) and the receiver (based outside the EU/EEA) of personal data both sign up to. These clauses are designed to protect personal data leaving the EU/EEA through contractual obligations in compliance with the GDPR’s requirements in jurisdictions that have not been afforded an “adequacy decision”.
Currently, there are 3 sets of SCCs:
Set 1: which both parties enter into a joint and several liability for the data protection obligations.
Set 2: is more business-friendly as it was developed with different trade associations.
Set 3: is used for data transfers from EU controllers to non-EU processors.
Our specialist Data Protection team can help you decide whether standard contractual clauses (SCCs) are right for you in helping maintain the flow of data, as well as completing the SCCs. If you’d like more information, please contact Matthew Holman or give us a call on 0345 070 6000.
Research conducted by Salvatore Anania.
If you would like to find out more about our Data Protection team and what we are doing to help businesses of all sizes to comply with the GDPR, please get in touch!