The Standard Contractual Clauses are a legal instrument used to carry out international data transfers between an EEA country and a third country with no adequacy decision. They make it possible to guarantee an adequate level of security after the previous security measures were struck down by the Schrems II decision.
Currently, the Standard Contractual Clauses are the most commonly employed method to enable data transfers between the European Union and third countries. After several revisions, the previous model clauses were not considered reliable enough to guarantee an adequate level of data protection, however, the new Standard Contractual Clauses are adapted to the GDPR and offer other types of advantages that allow contracts to be adapted to the type transfer to be made.
The new Standard Contractual Clauses have the following features:
- The contracts must be individually adapted and have the necessary modules depending on the data transfer scenario.
- The purpose of processing and information on security measures must be added.
- Its structure has four sections. A first introductory section with general clauses on interpretation and hierarchy, a second that includes the obligations of the parties, a third on the obligations of analysis of the country’s regulations and obligations on access by public authorities, and a fourth with the final provisions.
- They are adapted to the GDPR.
- They offer protection to the interested parties.
- They allow the conclusion of contracts by third parties (collective contracts).
- They offer more flexibility and more scope of application.
- They comply with the Schrems II ruling.
- Priority regulation and liability regulation.
- They have more specific considerations on technical and organizational measures.
They are the data protection policies used to carry out international data transfers within a business group or union of companies. The Binding Corporate Rules or BCR will be approved by the competent control authority as established in art. 63 of the GDPR.