The European Commission has the power to adopt standard contractual clauses as an appropriate safeguard for transfers of personal data to third countries, pursuant to Article 46(2)(c) of Regulation (EU) 2016/679.
On 4 June 2021, the European Commission adopted an implementing decision on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679, repealing as of 21 September 2021:
The SCC address various transfer scenarios and the complexity of modern processing chains. Controllers and processors can use the following options depending on the specific circumstances of the transfer:
– controller-to-controller (C2C);
– controller-to-processor (C2P);
– processor-to-processor (P2P);
– processor-to-controller (P2C), the processor being in the EU and the controller in a third country.
Other important aspects of the SCCs include:
– a possibility for more than two parties to adhere to the clauses;
– a possibility, with some exceptions, to use SCCs when transferring personal data to a sub-processor in a third country;
– a possibility, with some exceptions, for data subjects to invoke the clauses as third-party beneficiaries;
– the clauses provide for rules on liability between the parties when natural persons’ rights are breached and indemnification is required;
– the data subject’s entitlement to compensation for damage suffered when his or her rights as a third-party beneficiary have been breached;
– a requirement that the law of the country of destination does not impinge on the execution of the new SCCs by the controller/processor.
Commission Decisions:
25.06.2021
