What are EU standard contractual clauses (SCCs)?
Rie Aleksandra Walle ????????
Decode CJEU, EDPB & DPA news | International speaker | Grumpy GDPR podcast | DPO Hub & NoTies Community | Not daily on LinkedIn & no app, email if urgent
TL;DR: “standard contractual clauses” (SCCs) is a generic term in the GDPR which can apply to clauses for i) data processing agreements as per Article 28 or clauses for ii) international transfers of personal data as per Article 46, Chapter V.
Standard contractual clauses (SCCs) under the GDPR have been (especially) relevant since the Privacy Shield was invalidated in July 2020, following the Schrems II ruling.
But there is some confusion around what these really are. “SCCs” seems to be commonly used, and understood to apply, (incorrectly) only for international transfers. So when the European Commission recently published their Questions and Answers document to provide practical guidance on the use of the SCCs, even people working with data protection got confused.
So I wrote an article to try to clarify what GDPR SCCs are and what they can be used for. (And don't miss our Grumpy GDPR podcast episode ??!)
Below is a quick summary.
?? Key take-away no. 1: “standard contractual clauses” is a generic term in the GDPR.
Standard Confusing Clauses
Actually, the following terms are used interchangeably for “SCCs” in the GDPR (Articles and Recitals), in the various sets of SCCs, as well as by the EDPB, EDPS, the European Commission (including the Q&A) and various supervisory authorities:
领英推荐
Interestingly, in the actual legal text of the GDPR, “standard contractual clauses” is used in relation to data processing agreements as per Article 28, and “standard data protection clauses” in relation to transfers as per Article 46 – which makes sense, if you think about it, as the key thing with Chapter V is to ensure that the level of protection of natural persons is not undermined.
So the correct acronyms should perhaps be “SCCs” and “SDPCs”… a bit late for that, though...
?? Key take-away no. 2: There are various sets of SCCs, including for i) data processing agreements, see Article 28(7) and (8), and ii) as “an appropriate safeguard” for transfers, see Article 46(2)(c) and (d).
The first we can call "DPA-SCCs", since they relate to data processing agreements and the second "transfer-SCCs".
What do you think about the use of "SCCs" in the GDPR?
Check out the full article for further information and (re)sources and the LinkedIn article I posted September 2021:?New SCCs emergency help ??.
Moderator of Cyber Security and Real Time Systems & Global Digital Identity Groups
2 年And there is one excellent clause which mandates that suppliers notify the customer i the even of a security breach ... within 72 hours. I would go further and formally request a copy of the investigation report.
Data Protection & AI Consultant | Author of the Data Protection Implementation Guide, A Legal, Risk and Technology Framework for the GDPR | Qualified Irish Solicitor, NY Attorney & FCCA | Consultant Founder, Mighty Trust
2 年I always thought that the most interesting thing about the SCCs was how the EU Commission amended and expanded the scope of the GDPR through the clauses without actually having to change the core GDPR law.