ICO News

EDPB to Provide Much Needed Clarification on New EU SCCs Scope for Importers Subject to the GDPR – JD Supra

The European Data Protection Board (EDPB) recently published Minutes of its last plenary meeting held in September, which sheds light on how the EDPB plans to address the biggest open issue of the new Standard Contractual Clauses (SCCs) — how importers subject to the General Data Protection Regulation (GDPR) could effect a data transfer given the new SCCs only apply to data importers who are not subject to the GDPR.

There has been much speculation as to the meaning behind this limitation, but the EDPB’s Minutes suggest the EDPB is planning to clarify that a cross-border transfer mechanism (e.g., the SCCs) is needed even when the data importer is already required to comply with the GDPR. Read more in our summary below.


As we described in our article here, the EDPB previously announced that they were working on guidance to clarify the interplay between the GDPR territorial scope and the GDPR’s rules on international transfers. In the recently published Minutes, the EDPB indicated that, after the guidance is adopted, the European Commission will develop a specific set of SCCs regarding transfers to importers subject to the GDPR. In doing so, we expect the EDPB will confirm that a transfer to a data importer already subject to the GDPR is a “restricted transfer” regulated by Chapter V of the GDPR. This interpretation is also consistent with the preferred position taken by the UK Information Commissioner’s Office (ICO) during its consultation on the UK SCCs (which closed on 7 October).

The EDPB statements suggest that there will be two sets of the new SCCs — one applicable to importers who are not subject to the GDPR (the SCCs released by the European Commission on June 4th this year), and the other applicable to importers who are subject to the GDPR, to be developed by the European Commission. We anticipate that the latter set of SCCs will include a “lighter” set of obligations on the data importer, given that the importer will already be subject directly to the GDPR, and will likely focus on regulating conduct in the case of requests by public authorities (similar to Section III of the new SCCs).


Clarification on this point is very welcome. However, it now looks like businesses will face further administrative burden in assessing and implementing the correct documentation for data transfers, possibly managing different sets of SCCs depending on the activities of the importer.

The EDPB statements also come at an interesting time for businesses, who are still grappling with transfer impact assessments and managing their transition to the new SCCs. Businesses engaging in cross-border transfers of European data should keep a close eye on the EDPB’s and the ICO’s guidance and be prepared to review their data transfer strategy.


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.