Last week the European Commission published new "standard contractual clauses" under the General Data Protection Regulation (GDPR) for data transfers to countries outside of the European Union. The Commission aimed to reflect the technological and legal developments after the Schrems II decision of the CJEU and offer instruments for more complex processing chains. Any existing SCCs based on the former clauses must be replaced by 27 December 2022.
The new SCCs impose further obligations on controllers and processors in the EU and abroad. The new modular approach reflects modern processing chains with multiple levels of (sub-)processors. Nonetheless, controllers and processors remain liable for assessing national and international laws that may intervene with the fundamental rights established by the EU.
For further information, please see our Client Alert or feel free to contact us directly to discuss how this may impact your business.