Reflection of surrounding buildings on RPC's building.

European Commission publishes Q&As on the new Standard Contractual Clauses

Published on 10 October 2022

The question

What does the latest guidance from the European Commission tell us about the new Standard Contractual Clauses (SCCs) under the EU’s General Data Protection Regulation (GDPR)?

The key takeaway

The European Commission’s Q&A document is a helpful reference point for those getting to grips with the transfer mechanisms under the new SCCs. Remember – the grace period for incorporating the new SCCs into existing contracts is 27 December 2022, so time is fast running out to ensure compliance by this deadline.

The background

Under the GDPR, personal data transfers to countries outside the EU (third countries) can only take place if one or more of the following three conditions is fulfilled: (i) an adequacy decision exists in relation to the relevant country; (ii) an appropriate safeguarding measure has been implemented, such as a suitable contractual provision or binding business rule; or (iii) a suitable derogation exists which covers the circumstances of the transfer.

The pre-approved wording in the SCCs can be used in contracts where the parties deem option (ii) to be the most appropriate. Their validity can only be challenged in the Court of Justice of the European Union. The most recent SCCs were announced in June 2021 and came into force on 27 June 2021. All new contracts from 27 September 2021 have had to include the new SCCs in order to benefit from the certainty afforded by the SCCs. An 18-month grace period was introduced in respect of contracts agreed prior to 27 September 2021 which incorporate the old SCCs, expiring on 27 December 2022. Parties relying on the old SCCs therefore have until 27 December 2022 to update these contracts to include the new SCCs.

The development

The European Commission has recently produced a Q&A document on the new SCCs. This aims to provide practical guidance on both the new SCCs and complying with the GDPR more broadly. There are currently 44 Q&As, to be updated as and when further questions arise. They highlight ways in which the clauses are useful. By way of example, they provide SMEs with ready-made clauses to adopt to save costs in drawing up and agreeing contractual provisions. They also address the dangers of changing the text of the clauses (noting that amending the text means that parties “cannot rely on the legal certainty offered by an EU Act”) and provide guidance on incorporating them into a commercial agreement. They also highlight the new “docking clause”, which enables parties to choose to agree that additional parties may be joined to the contract in the future. 

Why is this important?

The Q&As are a useful reference point for understanding the changes introduced by the new SCCs and their implications. They also act as a reminder of the impending deadline of 27 December 2022 to incorporate the new SCCs into pre-existing contracts (ie before 27 September 2021) where the parties are still relying on the previous versions of the SCCs. Note that the SCCs have also been endorsed by the UK Government, and they appear with limited amendments in the Information Commissioner’s Office new International Data Transfer Agreement. The European Commission’s Q&As may therefore also be useful for parties required to comply with the regulations surrounding personal data transfers from the UK to third countries.

Any practical tips?

The deadline of 27 December 2022 for the SCCs to be incorporated into pre-existing contracts (ie in play with the old SCCs before 27 September 2021) is fast approaching. If you haven’t already reviewed your contract bank to ensure you’re going to comply, now is the time to do it! 

Autumn 2022