Reminder: New Standard Contractual Clauses Took Effect on Sept. 27

GDPR and UK
Written By Luke Schaetzel

Contracts entered into prior to Sept. 27 will need to be amended to adopt the new standard contractual clauses by Dec. 27, 2022.

As of Sept. 27, entities entering new contracts that are subject to the General Data Protection Regulation (“GDPR”) must use the European Commission’s updated Standard Contractual Clauses (“SCCs”).

From this point forward, the E.U. expects entities to use the following two sets of SCCs. First, if an entity is involved in the international transfer of data from the European Economic Area (“EEA”), they must use the SCCs linked here. Second, if an entity is involved in the transfer of data within the EEA, they must use the SCCs linked here.

Contracts entered into prior to Sept. 27 may continue to rely on the old SCCs, but only until late next year. Such contracts that continue to rely on the old SCCs must replace them with the new SCCs by Dec. 27, 2022.

Background and Context

This past summer, the European Commission updated their SCCs to better align with the E.U.’s GDPR and address the post Schrems II legal landscape.

In Schrems II, the Court of Justice of the European Union famously struck down the E.U. - U.S. Privacy Shield. The Court also called into question the validity of the old SCCs. To address the concerns the Court raised, the European Commission adopted the new SCCs.

The first set of new SCCs are familiar as they relate to the traditional transfer of personal data from geographic locations in the EEA to geographic locations outside of the EEA. The second set of new SCCs are brand new, and specifically cover the engagement of data processors in the EEA when there is no transfer of data to a geographic location outside of the EEA. See our earlier, more in-depth analysis of how the SCCs changed here.

As the transatlantic regulatory structure continues to develop and the obligations your business is required to take on change or grow, the Benesch Data Protection and Privacy team is committed to staying at the forefront of knowledge and experience to assist our clients in compliance efforts. We are available to assist you with any compliance needs.

Ryan T. Sulkin at rsulkin@beneschlaw.com or 312.624.6398.

Lucas Schaetzel at lschaetzel@beneschlaw.com or 312.212.4977.

Luke Schaetzel
Previous

U.S. and E.U. Trade and Technology Council Announce Future Work, But No Specifics, on Emerging Tech, Privacy, Data Governance
Next

California Privacy Regulations—CPRA Preliminary Rulemaking Process Begins with Invitation for Comments