On 27 June, the new standard contractual clauses adopted by the European Commission came into force. The European Commission has chosen to create two categories of these standard contracts:

1/ A version applicable to relations between controllers and processors.

The signing of a contract between the controller and the processor (or Data Protection Agreement - DPA) is mandatory under Article 28.3 of the RGPD. The CNIL has already provided a model contract of this type to help companies comply with the RGPD. This new model enhances the DPAs already in force, particularly with regard to the security measures to be put in place and the extent of the assistance to be provided by a processor to the controller.

2/ A version applicable to all transfers of personal data to countries outside the European Union.

As a reminder, the transfer of personal data to a country outside the EU is prohibited by the GDPR, with certain exceptions. These exceptions include countries that have received an adequacy decision from the European Commission, i.e. whose level of personal data protection is considered equivalent to that of the European Union. A second exception concerns the signing of standard contractual clauses that provide a contractual guarantee of optimum protection for personal data, thereby making a data transfer outside the EU lawful.

In order to adapt to the requirements of the RGPD (in particular the keeping of registers, the one-stop shop, the appointment of a DPO, etc.), the European Commission has had to overhaul the standard contractual clauses by means of a "model". with drawers "It has also enriched this mechanism in the light of the SCHREMS II ruling invalidating the Privacy Shield, by including clauses relating to the verification of the legislation of the recipient country and examples of any additional measures that may be required to ensure that data is not transferred to another country. It has also enriched this mechanism in the light of the SCHREMS II ruling invalidating the Privacy Shield, by including clauses relating to verification of the recipient country's legislation and examples of any additional measures needed to bring the transfer into compliance.

This new model will be mandatory from September 2021, and companies will have 18 months to replace the previous versions of the standard contractual clauses already signed with their co-contractors, i.e. until 27 December 2022.