The European Commission’s updated standard contractual clauses (SCCs) on the transfer of personal data to third countries came into force on June 2021. The transition period, which has been set for the adoption of the updated SCCs, ends 27 December 2022. From that date the old SCCs is no longer a valid transfer mechanism to transfer personal data to third countries and must therefore be replaced by the updated SCCs, also for the agreements in force at the moment.

The SCCs can be used as one transfer mechanism for the transfer of personal data to third countries. However, even the updated SCCs alone might not be sufficient for the transfer of personal data outside the EEA.

The personal data controller, as a data exporter, must always conduct a case-by-case risk assessment (Transfer Impact Assessment, TIA). In the TIA, the laws of the recipient country and the possible access of local public authorities to personal data in the recipient country must be assessed, among other things.

If the TIA demonstrates that an adequate level of data protection cannot be guaranteed, the controller must require appropriate additional safeguards from the data recipient. The safeguards can be technical, organizational or contractual. The European Data Protection Board has published recommendations that help controllers and processors assess the need for appropriate supplementary safeguards and choose the suitable safeguards: Click here to read the recommendations

The transfer of personal data to a third country must be suspended if the necessary safeguards are not in place. The use of updated SCCs does not diminish this demand.

For more information, please contact:

Partner Tiina Kekäläinen
puh. +358 50 596 5969
tiina.kekalainen@kalliolaw.fi

Associate Niina Örn       
puh. +358 50 591 1100
niina.orn@kalliolaw.fi