The European Commission has adopted today the long-awaited new sets of Standard Contractual Clauses: one for use between controllers and processors in the EU/EEA and one for the transfer of personal data to third countries.

As expected, the new clauses are fully aligned with the GDPR and address the issues derived from the Schrems II decision of the European Court of Justice, which invalidated the EU-US Privacy Shield, and therefore, provide more certainty to companies that transfer data to the US.

One of the main changes introduced by the new Standard Contractual Clauses is that they apply to processor-to-processor and processor-to-controller transfers and they can be used by controllers and processors not established in the EU that are subject to the GDPR. 

The publication of today’s decision from the European Commission has important implications for controllers and processors in the EU and provides them with a more flexible mechanism to regulate their data transfers. The decision foresees an 18-month grace period for companies to adopt the new clauses which is certainly welcomed.  

Stay tuned to hear about the events that we are going to be organizing in the coming weeks regarding the new Standard Contractual Clauses! We will be discussing the key changes introduced, the main implications derived for controllers and processors and the next steps that companies should follow to implement the new clauses.


Guadalupe Sampedro

Patrick Van Eecke

Posted by Cooley