For almost five years, privacy professionals have been breaking their heads over what to do with international transfers of personal data originating in the European Union. The two Schrems decisions of the Court of Justice of the European Union (CJEU) have brought some clarity – we now know that no international transfer may undermine the level of data protection offered under the EU General Data Protection Regulation (GDPR) and that thus essentially equivalent protection is required – but we still do not know what actually constitutes an international transfer. So far, neither the European Commission, nor the European Data Protection Board (EDPB) have been willing to provide one. The new Standard Contractual Clauses, the main contractual mechanism to transfer personal data from the European Economic Area (EEA, which is the EU plus Norway, Iceland and Liechtenstein) to a non-EEA country (so-called third countries), however do include some indications on how to look at data transfers henceforth.
Scope of application of the new SCCs
Before looking at a possible new definition of international transfers, let’s first take a look at the scope of application of the model clauses as adopted by the European Commission on 4 June 2021. The SCCs can be used as a legal basis to transfer personal data out of the EEA, on the basis of the appropriate safeguards mentioned in article 46 GDPR. However, when using SCCs, organisations will not need to go through any formalities, like they would for example when using Binding Corporate Rules or ad-hoc data protection clauses, which both require approval from the supervisory authorities. SCCs can be part of a contract negotiated between the parties involved in a data processing operation, and are completely their responsibility.
The new SCCs bring about one majo ..
Support the originator by clicking the read the rest link below.
