Set One SCCs are primarily designed to be used for intra-EU transfers, or other transfers to data processors where the Set Two SCCs are not required. To maintain the validity of these SCCs, it is important to note that they cannot be modified, however, they can be expanded upon, or included as part of a broader contract, as long as such additions do not contradict or detract from these SCCs as written. Am I a data controller? A data controller is the entity that chooses the purposes and means of processing. Data controllers are the owners of the data. Am I a data processor? A data processor can only process data under the instructions of, and on behalf of a data controller. Data processors are typically service providers. Until recently, the two most commonly used mechanisms in the US were the old SCCs and the EU-US Privacy Shield Framework (the “Framework”). Since the Privacy Shield was invalidated in July 2020, companies have had to turn to other approved mechanisms such as the SCCs. They can now consider the Data Privacy Framework discussed below.
Key Differences between the Old SCCs and New SCCs
The old SCCs were drafted in response to Directive 95/46/EC (1995), the main EU privacy law until 2016 when it was replaced by the GDPR. The new SCCs mirror many of the requirements and principles of the GDPR, including extraterritoriality. The old SCCs came in two separate documents, one for the cross-border transfer of personal information from controller to controller, and one for the cross-border transfer of personal information from controller to processor. The new SCCs, however, come in one document but are divided into four Modules to account for four (instead of only two) cross- 152
Made with FlippingBook - Online Brochure Maker