The European Commission has announced the launch of a new initiative to develop an additional type of standard contractual clauses (SCCs) that specifically address the situation where a data importer is directly subject to the GDPR. The move would fill in a hole in the existing four modules of SCCs, which are currently drafted with the expectation that the data importer is not otherwise subject to the GDPR.
Importantly, the new set of standard contractual clauses will supplement the existing four modules and not replace them, minimizing the impact to most businesses that use one or more of the modules in the current SCCs as the lawful method of transferring data from the EEA, UK, or Switzerland. Only businesses that force data importers who are directly subject to the GDPR into the existing SCCs may have to update to the new SCCs, when they are available (and likely there will be a transition period).
The draft of the new SCCs is expected 4Q2024, with commission adoption 2Q2025.
Standard contractual clauses (SCCs) are model data protection clauses that EU data exporters can incorporate into their contracts to transfer personal data to data importers in third countries in line with the requirements of the General Data Protection Regulation (GDPR). These clauses address the specific scenario where the data importer is located in a third country but is directly subject to the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.