Although it may sound a bit overdramatic to open with, it seems safe to say that GDPR is notorious for its restrictions on transfers of personal data to “third countries” – the ones outside the EEA that are not considered to provide adequate data protection (such as the United States, China, or Serbia). Amongst several safeguards available for addressing these restrictions, the companies most often use the standard contractual clauses (“SCCs”) entered with the data recipients in those countries. And since the old SCCs have been in effect for twenty years already, it was about time to replace them with new ones, which implement the upgraded privacy standards brought by the GDPR in 2018, as well as the EPDB recommendations relating to the CJEU’s Scherms II judgment of 2020.
When the European Commission’s new SCCs entered into force on 27 June 2021, a three-month transitional period was provided for the companies to continue executing the old SCCs for any new transfers taking place. That period is set to expire in two weeks, on 27 September 2021, after which the companies wishing to rely on this mechanism will need to implement the new SCCs for new data transfers. For existing data transfers, which are based on the old SCCs executed before this deadline, the transitional period is extended until 27 December 2022, when the companies will finally need to switch to the new SCCs.
What does this mean for Serbian companies?
First, it seems there will be a lot of drafting to do, as all EU companies (and others within GDPR’s extraterritorial reach) transferring data to Serbia will need to enter into new SCCs with their data recipients, to cover any new transfers starting as of 27 September 2021. It may be advisable to do this for the existing transfers as well, since the (already executed) old SCCs can be used until 27 December 2022 only if they indeed provide an “appropriate safeguard” for the transferred data – the standard which has been made significantly stricter by Scherms II judgment and is, therefore, a lot easier to achieve by using the new SCCs.
In addition, the Serbian companies to which the GDPR applies, such as the ones targeting EU individuals, would also need to use the new SCCs (or another GDPR safeguard) for transferring data to other third countries. This is one of the key novelties introduced by the new SCCs, together with regulating the situations where processors act as data exporters and introducing a modular structure adjustable to all transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.
The applicability of these new (EU) SCCs to Serbian companies will likely result in complex overlapping issues between the GDPR and the Serbian Data Protection Law, as the latter requires local companies to use the Serbian SCCs when transferring data to third countries and recognises only the SCCs covering the controller-to-processor transfers. Such a dichotomy would have been easy to overcome if the Serbian law recognised the use of EU SCCs, as does the Data Protection Law of North Macedonia, but this is currently not the case.
Perhaps the Serbian regulator may consider addressing this soon, preferably together with other amendments that local Data Protection Law would strongly benefit from, such as the ones enabling the Serbian SCCs to cover all remaining transfer scenarios (and not only the controller-to-processor). Until then, for any such transfers not covered by Serbian SCCs – most notably the intra-group controller-to-controller transfers – the local companies would need to rely on other safeguards available under Serbian law or, in their absence, on the administratively-burdensome approval of the local Data Protection Authority.
Does your company engage in any cross-border transfers of personal data?
If not, however unlikely this may be, enjoy the lack of additional stress while it lasts. If yes, and especially if EU countries are involved, it would be prudent to check how your transfers measure up against the requirements of both the GDPR and the Serbian law, and whether the local business processes could be affected by the new SCCs – the results are unlikely to be as sweet and simple as you expected.
In other words, recent privacy developments seem to indicate that rainy days are coming this fall, so make sure to bring out an umbrella in time – preferably the one large enough to insulate your company from GDPR’s 20m EUR/4% turnover fines.
The new EU SCCs can be seen here.
The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.