The European Commission has released a set of Q&As on the revised Standard Contract Clauses (SCCs) for international data transfers, originally released in June 2021.
The SCCs were first developed in the summer of last year.
They act as a mechanism to provide legal safeguards for companies when they initiate international data transfers, an area that has become increasingly scrutinised in light of the 2020 Schrems II case.
These Q&As are based on feedback received from various stakeholders on their experience of using the new SCCs in the first year since its adoption.
They have been devised by the commission to act as a practical guide on the use of SCCs to assist companies with their data compliance efforts and their data transfer obligations under the General Data Protection Regulation (GDPR), which turned four this week.
Some of the issues that the Q&As tackle may appear obvious to onlookers, but show how complicated the GDPR can be to comply with. For example, one Q&A clarifies that stakeholders that are using the SCCs are able to delete sections that are not applicable to their transfer scenario.
Moreover, the commission has said that counterparties may supplement the SCCs with additional clauses or incorporate them into a broader commercial contract, as long as the other contractual provisions do not contradict the SCCs, either directly or indirectly, or prejudice the rights of data subjects.
Among the issues that the commission has sought to address is whether the SCCs can be used for transfers to data importers who are already in scope of the GDPR, but that transfer data out of the EU.
The commission has said that the SCCs cannot be used for this, but that they are in the process of developing specific guidance on this issue.
Stakeholders have also been told that they are unable to use liability exemptions in regards to the SCCs.
“The parties may not include a general exculpation from liability,” according to the Q&As.
The commission has said that it would likely prejudice the rights and freedoms of individuals, such as by reducing the incentive for parties to ensure compliance with the SCCs.
The Q&As are just one cog in a huge slew of post-GDPR guidance and scrutiny, which while making the EU a global leader for data protection regulation has also left merchants, payments firms and others increasingly vulnerable to fines and investigations for making mistakes in their compliance processes.