On 4 June 2021, the Commission adopted two standard contractual clauses (SCCs): one on controllers and processors in the EU/EEA and one on international transfers. With these two SCCs, the Commission is aiming to ensure safer personal data transfer by offering businesses a useful tool to ensure their compliance with the General Data Protection Regulation (GDPR) and to offer greater legal predictability to European businesses in general. These two tools take into account the CJEU’s judgment Schrems II, in which the CJEU backed the SCC model of ensuring legal transfers of personal data to non-EU countries while clarifying the conditions for their use (→ eucrim 2/2020, 98-99).

The SCCs provide companies with an easy-to-implement template, simplifying how companies verify and control their compliance with the data protection requirements. The two SCCs offer a toolbox with an overview of the different steps companies must take to comply with the Schrems II judgment and featuring additional examples of measures required to close existing security gaps (e.g., encryption or pseudonymisation). In order to cater to various transfer scenarios and the complexity of modern processing chains, the SCCs combine general clauses with a modular approach and offer the possibility for more than two parties to adhere to the standard contractual clauses.