On June 6, the European Commission adopted new Standard Contractual Clauses (SCCs) to enable organizations to transfer personal data outside the European Union (EU) in accordance with the General Data Protection Regulation (GDPR). The new SCCs are intended to address the complex data processing issues that impact modern businesses, and they impose several novel obligations on organizations. Importantly, the new SCCs address situations where the U.S. government (and other non-EU authorities) request access to personal data, which was the core issue presented in the recent Schrems II decision. In order to comply with the GDPR and SCCs, organizations should consider undertaking the following:
- identify the circumstances in which they export or import personal data from the EU,
- determine whether the SCCs are an appropriate data transfer mechanism, and whether they can comply with the onerous requirements set forth in the new SCCs,
- amend existing third-party contracts and intra-group agreements to account for the new SCCs,
- incorporate the new SCCs into contracting process flows for new programs and operations, and
- implement new procedures, where appropriate, and document all policies and assessments for data transfers.