Lexicon > Standard Contract Clauses (SCC)
IT Lexicon
Standard Contract Clauses (SCC)
The standard contractual clauses are model agreements on the processing of personal data adopted by the European Commission for the following categories of personal data transfers:
- Data transfers between EU and non-EU controllers;
- Data transfers between EU controllers and non-EU processors;
- Data transfers between EU processors and non-EU controllers;
- Data transfers between EU and non-EU processors.
They can provide appropriate safeguards for the protection of personal data for international data transfers if the laws or practices of the country of the importer of the data do not compromise the adequate level of protection afforded by the clauses, and in the absence of a decision by the European Commission finding that this third country ensures an adequate level of protection (decision of adequacy).
It is thus up to the importer and exporter of the data to assess in practice whether or not the legislation of the third country allows for the level of protection required by the GDPR and the guarantees provided by the standard contractual clauses.
If the level of protection cannot be met, the exporter of the data must implement additional measures to meet the level of protection or not carry out the intended transfers.
In any case, in addition to the use of standard contractual clauses, the exporter of the data must fulfill its obligations enshrined in the GDPR in its capacity as a data controller or processor.
The standard contractual clauses should not be modified, but the parties may add other additional clauses or guarantees, provided that they do not directly or indirectly contradict the standard contractual clauses and that they do not infringe on the fundamental rights and freedoms of the persons concerned.
GDPR focus
“In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in the third country with appropriate safeguards for the data subject. These safeguards may consist of the use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority, or contractual clauses authorized by a supervisory authority.”
Recital 108 of the GDPR
Case law focus
The Court of Justice of the European Union (CJEU) has ruled that: ” neither Article 702 of FISA nor E.O. 12333, read in conjunction with PPD-28, meet the minimum requirements of the principle of proportionality under Union law, so that monitoring programs based on these provisions cannot be considered limited to what is strictly necessary.
In those circumstances, the limitations on the protection of personal data which derive from the United States’ internal rules on access to and use of such data transferred from the Union to the United States by the American public authorities, and which the Commission assessed in the BPD decision, are not framed in such a way as to meet requirements which are substantially equivalent to those required under Union law by the second sentence of Article 52(1) of the Charter. “
Court of Justice of the European Union, July 16, 2020, N°C-311/18.
The Bouchara firm assists you in particular in :
- Making your organization GDPR compliant;
- The drafting of data protection policies (privacy policy, computer charter …);
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.
We are also the external Data Protection Officer of many data processors and subcontractors.