A Guide Through the New SCCs

Written by One Trust on 14 January 2021 in Sponsored Article
Sponsored Article

One Trust breaks down the modular approach of the new SCCs

This is the first time in ten years that the commission has published a new set of SCCs for transferring personal data from the EA. It’s difficult to say when these new SCCs will be enforced and adopted. Unlike the current two sets of SCCs, which are based on whether the importer is a data processor or data controller, the new SCCs take a modular approach combined with general provision to cater for four different transfer scenarios and distinguish responsibilities under SCCs on this basis. The modules consist of:  

Module 1: Controller-to-Controller  

  • This module is based on the scenario of a data transfer between two data controllers  

Module 2: Controller-to-Processor 

  • This module is based on the scenario of a data transfer between a data controller and a data processor  

Module 3: Processor-to-Sub-Processor  

  • This module is based on the scenario of a data transfer between a data processor and a data sub-processor  

Module 4: Processor-to-Controller  

  • This module is based on the scenario of a data transfer between a data processor to a data controller 

Though not entirely clear, it seems as though the controllers and processors are to select the module which is best suited to their situation. The commission notes that the ability to do so makes it possible for parties to tailor their obligations under these SCCs to their specific roles and responsibilities.  

These SCCs are complex. The reason being we are trying to document data for a number of different data transfer scenarios with different clauses applying to different modules. Companies are going to have to sit down with the draft SCCs and really work out they apply to them.  

Read the Blog: Schrems II Decision: EDPB Publishes Recommendations 

The New SCCS and Data Protection Safeguards  

Section II of the new SCCs is all about the obligation of the parties and includes nine clauses. Clause 1 is very key in that it sets out the Data Protection Safeguards. These safeguards imbue the protections that travel with the personal data that leaves the EEA. Clause 1 starts with a warranty by the exporter that it has used reasonable efforts to determine the importer is able to satisfy the obligations of the SCCs. This connects back to the Data Transfer Impact Assessment that is a key part of the EDPB recommendations that we’ve discussed previously. 

These Data Protection Safeguards include: 

  • Purpose: Importer is not to use data for an incompatible purpose 
  • Transparency: Importer is to inform the data subject of identity and recipients.  
  • Accuracy: Parties are to ensure that data is accurate, relevant, and limited to what is necessary  
  • Storage: Importer will retain data for no longer than necessary  
  • Security: Importer (and exporter during transmission) should implement appropriate and organizational measures  
  • Special Data: Importer to apply specific restrictions and safeguards  
  • Onward Transfers: Can only transfer to a third party if they agree to be bound by the SCCs 
  • Processing Under Authority of Importer: Importer to ensure any person acting under its authority only acts on its instructions  
  • Documentation: Parties must be able to demonstrate compliance with the SCCs and keep appropriate documentation and make it available to supervisory authorities on request 

It is important to note that each modular approach applies differently to each of these safeguards.  

Read the Blog: Schrems II Dealing with International Transfers 

Final Thoughts on the New SCCs and EDPB Recommendations  

It’s a positive step forward to now have SCCs that cover all types of data transfers and have solutions provided for non-EEA exporters, which weren’t outlined before. The biggest question to consider now is: do companies wait for the new SCCs to be finalized before fully adopting them during this sunset period of the old SCC guidelines? 

Further Schrems II reading:  

Next steps on Schrems II:  

Get Started with OneTrust: OneTrust Schrems II Solutions

About the author

One Trust

OneTrust is the #1 fastest growing and most widely used technology platform to help organizations be more trusted, and operationalize privacy, security, and governance programs. More than 7,500 customers, including half of the Fortune 500, use OneTrust to comply with the CCPA, GDPR, LGPD, PDPA, ISO27001 and hundreds of the world’s privacy and security laws.


Share this page


Related Articles

HMRC lifts lid on £200m programme to achieve data-protection compliance
27 September 2022

Recently released information provides details of three-year project to minimise risk and improve use of data

Data-led reforms unveiled to help Companies House clamp down on ‘criminals and kleptocrats’
27 September 2022

New law will give greater powers for authorities to access information and seize digital currency

Ofcom to probe dominance of big three public-cloud players
26 September 2022

Communications regulator will examine whether the current market conditions stymie innovation and opportunities for smaller players

Home Office review of labour shortages delayed over data problems
23 September 2022

Issues arise in assessment of areas that may benefit from allowing employers to sponsor visas for overseas workers 

Related Sponsored Articles

Keeping tabs on work-issued mobile activity with Antenna
7 September 2022

How can public sector organisations keep track of calls, texts and instant messages in the world of ultra-flexi, hybrid working? Stuart Williams, CTO at FourNet, and Andrew Bale, EVP at Tango...

Rewiring government: improving outcome management
6 September 2022

Paul Pick-Aluas, Strategy & Transformation, Public Sector at Salesforce, explains how governments can use technology innovation to improve how it can analyse outcomes