Commission sets out to modernise the GDPR toolbox for international data transfers
The Commission has published two sets of draft model data protection clauses to launch the process to revise the existing Standard Contractual Clauses (SCCs). Standard Contractual Clauses are the most commonly used tool for international data transfers, including for transatlantic data flows. The General Data Protection Regulation (GDPR) provides a broad toolbox for international data transfers and standard clauses that companies can use. The modernised clauses will assist companies with their efforts to comply with the GDPR requirements. For its work on modernising the Standard Contractual Clauses, the Commission has also taken into account the guidance from the Schrems II judgment of July 2020. Vice-President for Values and Transparency, Věra Jourová, said: “International data flows are a life-blood of a modern economy. With this updated tool, we want to ensure the high level of protection to our personal data regardless where they are and when they travel. We also want to help businesses with their compliance efforts.” Didier Reynders, Commissioner for Justice, said: “We did not start from scratch after the Schrems II judgment. We were already working intensively to modernise the existing Standard Contractual Clauses, ensuring they correspond to modern business realities.” The publication of the draft model data protection clauses – one on standard contractual clauses between controllers and processors located in the EU, and the other on the transfer of personal data to third countries – is the beginning of a process towards their adoption. The draft clauses have been sent to the European Data Protection Board and the European Data Protection Supervisor for their opinion. After taking these opinions into account, as well as the outcome of the four-week public consultation, the final clauses will be adopted by the Commission, after having obtained the green light from Member States’ representatives in the so-called comitology procedure. The updated clauses will be complemented by the guidance prepared by the European Data Protection Board and which was published on Wednesday.