Introduction: The New SCC and Their Impact on Companies
The 2021-issued EU GDPR Standard Model Clause (SCC) affects many companies, as any company transferring personal data to third countries outside the EU must re-enter its data transfer agreements. These rules apply to both data controllers and data processors.
SMEs and Legal Compliance
Especially among small and medium-sized enterprises (SMEs), compliance with the regulations is still progressing slowly, which could be further complicated by the introduction of the new rules. The new SCC modules introduce several novelties that could significantly change the data handling practices of companies.
The New SCC Modules and Their Application
Instead of the previous clauses that only applied to the relationship between the data controller and the data processor, four different modules have now been published, each subject to its own rules. The new rules also take into account situations where a data processor transfers data to another data processor or to a data controller. Additionally, the new SCC allows multiple parties to enter into data transfer agreements, considering complex economic situations.
Access of Third Country Intelligence Services and the Need for Protection
The new SCC stipulates that companies transferring data must consider the access rights of intelligence services and authorities from third countries to the data. The rules require strict defenses in case an authority submits an access request, ensuring the protection of the data.
Costs and Resource Demands for Companies
The introduction of the new SCC rules can result in significant costs and resource demands for companies, as substantial changes may be necessary to ensure data protection compliance. The application of the new SCC s is mandatory from December 27, 2022, but it is advisable to regularly check for compliance, as the rules require ongoing monitoring.
Contract Amendments and the Introduction of Internal Processes
The implementation of the rules requires not only contract amendments but also the introduction of new internal processes and, in some cases, a data transfer impact assessment. Based on the European Court of Justice’s Schrems II decision, in addition to contractual guarantees, further technical measures such as encryption may be necessary to protect personal data.
Further Information and Assistance
If you need more valuable information about SCC, sign up for our newsletter. If you need assistance with GDPR compliance, feel free to contact us with your questions.
Dr. Katona Géza, LL.M. ügyvéd (Rechtsanwalt / attorney at law)
___________________________________
Katona és Társai Ügyvédi Társulás
(Katona & Partner Rechtsanwaltssozietät / Attorneys’ Association)
H-106 Budapest, Tündérfürt utca 4.
Tel.: +36 1 225 25 30
Mobil: + 36 70 344 0388
Fax: +36 1 700 27 57