What Is New Compared to the Previous SCCs?

ANSWER

The new SCCs retain the core elements that were already included in the SCCs adopted under the previous Data Protection Directive. For example, obligations relating to fundamental data protection principles, security requirements, third-party beneficiary rights, and the jurisdiction of courts and supervisory authorities remain in place. At the same time, several significant changes have been introduced.

First, the "architecture" of the SCCs has been updated, for example:

• The SCCs now cover additional data transfer scenarios. While the previous SCCs were limited to transfers from controller to controller and from controller to processor, the modernized SCCs can be used for multiple transfer scenarios:
  • Controller to Controller (Module 1)
  • Controller to Processor (Module 2)
  • Processor to Processor (Module 3)
  • Processor to Controller (Module 4)
• Three separate sets of SCCs covering two transfer scenarios have been replaced with a single set of SCCs featuring a modular structure (covering four transfer scenarios). Parties must combine the general provisions (which apply regardless of the transfer scenario) with the module or modules relevant to their specific situation.
• A docking clause allows new parties to join the SCCs throughout the duration of the agreement.
• The SCCs are supplemented by annexes containing specific information about the relevant transfers, such as:
  • the list of parties and their roles;
  • a description of the purpose of each individual data transfer under the agreement;
  • the security measures implemented;
  • safeguards applied to protect sensitive data; and
  • other transfer-specific details.

Second, a number of substantive changes have been introduced, including:

• The SCCs reflect the new requirements of the GDPR, including enhanced transparency obligations, more detailed provisions on data subject rights, data breach notifications, and rules governing onward transfers.
• For controller-to-processor and processor-to-sub-processor transfers, the requirements of Article 28 GDPR have been incorporated directly into the SCCs. As a result, organizations do not need to sign a separate data processing agreement to comply with Article 28 GDPR.
• New clauses implementing the judgment of the Court of Justice of the European Union in the Schrems II case. Parties using the SCCs must now carry out a Transfer Impact Assessment (TIA), documenting:
  • the specific circumstances of the transfer;
  • the laws of the destination country; and
  • any supplementary safeguards implemented to protect personal data.
• New obligations relating to access by public authorities to transferred data, including:
  • obligations to inform data exporters about access requests; and
  • obligations to challenge unlawful requests for access to data.