On June 4, 2021, the European Commission issued two new sets of SCCs: (i) one for the processing of personal information between data controllers and data processors who are subject to the GDPR, and (ii) one for the transfer of personal information outside of the European Union (“EU”). The GDPR lays out specific, compulsory clauses that are required to be in contracts between data controllers and data processors, where such data processors process EU personal information on behalf of such data controllers. These compulsory clauses, as well as other recommended clauses, have been assembled by the European Commission for the convenience of the parties into one document: these Set One SCCs. These Set One SCCs are primarily designed to be used for intra-EU transfers, or other transfers to data processors where the Set Two SCCs are not required. To maintain the validity of these SCCs, it is important to note that they cannot be modified, however, they can be expanded upon, or included as part of a broader contract, as long as such additions do not contradict or detract from these SCCs as written. Am I a data controller? A data controller is the entity that chooses the purposes and means of processing. Data controllers are the owners of the data. Am I a data processor? A data processor can only process data under the instructions of, and on behalf of a data controller. Data processors are typically service providers. Until recently, the two most commonly used mechanisms in the US were the old SCCs and the EU-US Privacy Shield Framework (the “Framework”). Since the Privacy Shield was invalidated in July 2020, companies have had to turn to other approved mechanisms such as the SCCs. They can now consider the Data Privacy Framework discussed below.
147
Made with FlippingBook - Online Brochure Maker