• Press
  • Offices
  • Contact
  • Legal notice
  • EN
  • UPC
  • Firm
    • Main Focus
    • History
    • Guiding Principle
    • Code of Conduct
    • Awards and Rankings
  • Our Practice
    • Legal Areas
    • Industries
  • Our Team
  • News & Events
    • News
    • Events
    • UPC-Update
    • IP-Update
    • Publications
    • B&B Bulletin
  • Career
  • Menu Menu
FIND EXPERTS
  • UPC
  • Firm
  • News & Events
    • News
    • Events
    • UPC-Update
    • IP-Update
    • Publications
    • B&B Bulletin
  • FIND EXPERTS
  • Contact
  • Our Practice
  • Career
  • Offices
  • EN
  • Legal Areas
  • Industries

GDPR – New Standard Contractual Clauses

1. December 2021/in Issue December 2021, Data Protection

Since the CJEU annulled the EU-US Privacy Shield in July 2020, the European Commission’s Standard Contractual Clauses have in practice formed the most relevant basis for cooperation with service providers and partners outside the EU. The Standard Contractual Clauses have now been fundamentally reformed and the new clauses must be implemented since 27 September 2021. We summarise the most important changes and the resulting need for action.

Background

The GDPR protects personal data of EU citizens also outside the EU. Personal data may only be transferred to countries outside the European Union (so-called third-countries) if an adequate level of data protection comparable to the GDPR is guaranteed in these third-countries. For a number of countries, such as most recently the United Kingdom, the adequate level of data protection has been positively established by an adequacy decision of the Commission. For most countries, however, no such adequacy decision exists. This also applies to the USA since the CJEU declared the EU-US Privacy Shield, which has been in force since 2016, null and void in 2020 (judgment of 16.07.2020 – C311/18 – Schrems II). As an alternative, the focus shifted to the possibility of ensuring an adequate level of data protection on a contractual basis by executing the European Commission’s Standard Contractual Clauses.

These Standard Contractual Clauses have now been thoroughly revised by the European Commission and adopted in their latest edition on 4 June 2021 (Implementing Decision (EU) 2021/914). The new Standard Contractual Clauses are to be applied to all new agreements as of 27 September 2021. For legal relationships established by then, the old Standard Contractual Clauses will remain applicable for another 15 months. However, by 27 December 2022 at the latest, all data transfers to third-countries must be adopted to the new Standard Contractual Clauses or an alternative instrument to ensure an adequate level of data protection.

Modular construction principle for different constellations

To cover the different scenarios of international data transfers, the new Standard Contractual Clauses rely on a modular building block principle instead of the previous separate sets of documents for each scenario. On the one hand, this leads to increased flexibility, especially since data transfers between processors and (sub)processors and between processors and controllers are now also covered. On the other hand, the application of the Standard Contractual Clauses thus gains in complexity, especially since the principle remains that the clauses are only considered a suitable guarantee for ensuring an adequate level of data protection if they are used essentially unchanged.

Model order processing agreement included

In addition to guaranteeing an adequate level of data protection, the new Standard Contractual Clauses also explicitly serve to fulfil the obligations under Article 28 (3) and (4) of the GDPR to conclude a data processing agreement. They are thus at the same time a model data processing agreement. For this purpose, the European Commission also adopted separate model data processing clauses, which can be used in domestic processing scenarios (Implementing Decision (EU) 2021/915). Since the use of these clauses is not mandatory, it remains to be seen whether they will prevail in practice compared to the numerous freely available templates for data processing agreements.

New testing and documentation requirements for the implementation of Schrems II

The new Standard Contractual Clauses are in parts obviously designed as a response to the risks identified by the CJEU in Schrems II in the context of third-country transfers, in particular regarding excessive access to personal data by public authorities. However, they do not solve the practical problems arising for implementing companies. For example, the CJEU explicitly requires implementers of the Standard Contractual Clauses to assess the legal provisions applicable in the recipient’s country to see whether the statutory framework even allows the data recipient to comply with the provisions of the Standard Contractual Clauses. If, as in the USA, the legal regulations permit access by public authorities that the CJEU considers incompatible with European standards, the parties must take additional organisational and technical measures to effectively counter these risks.

The new Standard Contractual Clauses manifest this obligation by requiring the contracting parties to conduct a prior impact assessment, the outcome of which must be documented. As a result, both parties must explicitly confirm that there are no concerns about the ability to comply with European data protection standards. The clauses also contain obligations for the data recipient to notify the sending entity about requests from public authorities and to exhaust legal remedies where such remedies are prohibited.

Outlook and recommendation for action

The new Standard Contractual Clauses undoubtedly fit better into the regulatory system of the GDPR and offer practical advantages, such as an increased flexibility and the implementation of the CJEU’s requirements from Schrems II. The mandatory transfer impact assessment on the first view appears to be an intensification of the legal obligations, but ultimately merely implements the situation that applies since Schrem II. Furthermore, the explicit implementation of this requirement in the Standard Contractual Clauses could increase the practical willingness of third-country service providers to participate in a transfer impact assessment as well as the remediation of identified risks through technical and organisational measures.

If no real alternative to the conclusion of the Standard Contractual Clauses is established at the political level, which currently is not foreseeable, there is no way of avoiding the new Standard Contractual Clauses for a cooperation with service providers in third-countries, such as the USA. The current relevance of the topic is also shown by recent measures of the German data protection authorities, which in July 2021 sent questionnaires to companies throughout Germany in a coordinated focus audit regarding the handling of third-country transfers in accordance with Schrems II. Corresponding audits are to be expected in particular in connection with the changeover deadlines for the use of the new Standard Contractual Clauses on 27 December 2022.

Against this background, all EU-based companies should be prepared, whereby the following measures seem advisable for a practicable implementation of the legal requirements:

  • Conducting an internal screening for processes that involve the transfer of data to third-countries, such as the USA (e.g., in the context of website tracking, software tools, etc.).
  • Evaluating the possibility of suitable alternative providers based within the European Union.
  • Preparing different sets of the Standard Contractual Clauses according to own needs.
  • Preparing a standardised impact assessment process for third-country transfers and a catalogue of appropriate, technical and organisational measures to reduce identified risks.
  • Ongoing documentation and review of the measures taken, as evidence for submission to the data protection supervisory authority in case of an audit.

If you have any questions about the new Standard Contractual Clauses or about third-country transfers in general, please do not hesitate to contact us.

/wp-content/uploads/2022/04/boehmert_logo.svg 0 0 Petra Hettenkofer /wp-content/uploads/2022/04/boehmert_logo.svg Petra Hettenkofer2021-12-01 11:13:192022-08-24 13:46:03GDPR – New Standard Contractual Clauses

Author

Dr. Sebastian Engels

Contents

More articles

  • Health Claims Regulation: The use of trademarks… 1. December 2021
  • Protection of the Swiss Army Knife 1. December 2021
  • From Artworks and Copy­rights, NFTs make their… 1. December 2021

More Articles

Health Claims Regulation: The use of trademarks containing health claims finally banned 01. December 2021
Protection of the Swiss Army Knife 01. December 2021
From Artworks and Copy­rights, NFTs make their way into Inventions and Patents 01. December 2021
Recent German Court Decisions and Legislation shape the future of Euro­pean Patent Litigation 01. December 2021
G 4/19 – Confirmation of the prohibition of double patenting before the EPO 01. December 2021

Menu

  • Firm
  • Our Practice
  • Career
  • News & Events
  • FIND EXPERTS

Informations

  • Press
  • Contact
  • Legal notice
  • Data Protection
  • General Terms and Conditions
  • Contact

Legal Areas

  • Employee Inventions
  • Data Protection
  • Designs
  • Domains
  • Information Technology
  • Anti-Trust
  • Licensing
  • Trade Marks
  • Patent Valuation
  • Patents & Utility Models
  • Patent Litigation
  • Product Piracy
  • Copyright
  • Unfair Competition

© Copyright 2025– BOEHMERT & BOEHMERT

Scroll to top Scroll to top Scroll to top
Cookie settings Cookie settings

We need your consent before you can continue to use our website.


If you are under 16 and wish to give your consent to volunteer services, you must ask your parent or guardian for permission. We use cookies and other technologies on our website. Some of them are essential, while others provide you with more advanced information. For more information about how we use your data, please see our Data Protection Policy. There is no obligation to consent to the processing of your data in order to use this offer. You can revoke or adjust your selection at any time under Settings. Please note that due to individual settings, not all functions of the website may be available.

Cookie settings

Accept all cookies

Save settings

Accept only essential cookies

Individual data protection settings

Cookie details Privacy policy Legal notice

Cookie settings Cookie settings

If you are under 16 and wish to give your consent to volunteer services, you must ask your parent or guardian for permission. We use cookies and other technologies on our website. Some of them are essential, while others provide you with more advanced information. For more information about how we use your data, please see our Data Protection Policy. There is no obligation to consent to the processing of your data in order to use this offer. Please note that due to individual settings, not all functions of the website may be available. Here you can find an overview of all cookies used. You can give your consent to entire categories or view more information and thus select only certain cookies.

Accept all cookies Save settings Accept essential cookies only

Back

Cookie settings

Essential cookies enable basic functions and are necessary for the proper functioning of the website.

Display cookie information Hide cookie information

Name
Provider Borlabs GmbH, Legal notice
Purpose Stores the settings of the visitors selected in the Cookie Box of Borlabs Cookie.
Data protection policy https://borlabs.io/privacy/
Cookie name borlabs-cookie
Cookie duration 1 year

Content from video platforms is blocked by default. If cookies from external media are accepted, access to this content no longer requires manual consent.

Display cookie information Hide cookie information

Accept
Name
Provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose Used to unlock YouTube content.
Data protection policy https://policies.google.com/privacy
Host(s) google.com
Cookie name NID
Cookie duration 6 months

Privacy policy Legal notice