11 November 2021
The European Commission adopted a new set of Standard Contractual Clauses (“New SCCs”), effective 27 June 2021, for the transfer of personal data to non-EU regions. From 27 September 2021 onwards, data exporters and data importers can only conclude contracts which incorporate the New SCCs for the transfer of personal data out of the European Union. The PCPD has published an FAQ on the practical implications of the New SCCs for cross-border data transfer agreements using the New SCCs.
Key takeaways include:
- The New SCCs apply where a data exporter is subject to the General Data Protection Regulation but the data importer is not. Therefore businesses in Hong Kong may be required to accept the New SCCs where they act as data importers receiving European Union/European Economic Area personal data.
- Organisations have been given a transitional period of 18 months from 27 June 2021 (i.e. the date when the New SCCs became effective) to 27 December 2022 to replace all existing contracts containing the old Standard Contractual Clauses with the New SCCs.
The New SCCS provide for engagement of sub-processors of personal data by a data importer.
For the full version of the FAQ, please visit the PCPD’s website.