Finally, the standard contractual clauses are adapted to the GDPR and take into account the ECJ case law on the Privacy Shield.

Attention, all already concluded standard contractual clauses must be updated within 18 months, until 27 December 2022.  All newly concluded contracts must take into account the new standard contractual clauses from 29 September 2021.

How are the standard contractual clauses concluded in practice?

In practice, the standard contractual clauses are usually provided by service providers in these forms:

  • Individual contract – Especially when contracting with companies that do not work on a large scale for EU clients, the standard contractual clauses are provided in the form of a contract (usually as a PDF file), which is then signed or signed individually.
  • Part of T&Cs – Large US providers offer standard contractual clauses as parts of or attachments to their T&Cs, so that the standard contractual clauses are automatically concluded with the conclusion of the contract (example of the email platform MailChimp).

However, the conclusion of the standard contractual clauses alone is not sufficient. The level of data privacy must be examined in each individual case. For example, the ECJ and the data privacy supervisory authorities do not reject the transfer of data to third countries (e.g. USA), but would like to have the security checked.

  • Checking the text of the contract – you must check whether the correct standard contractual clauses have been chosen for the respective contractual constellation and whether their content has not been changed. You also need to check that the annexes have been properly completed.
  • Checking the actual level of data protection – You must also check whether the promises to provide an adequate level of data privacy are actually complied with. This means that you must check whether the risk of access to the data by US authorities, as described by the ECJ, is prevented. To ensure an adequate level of data privacy, e.g. encryption procedures, pseudonymisation, server location in the EU or also a low risk for the data of the data subjects contribute.

However, there are interpretation misunderstandings in the recitals of the new standard contractual clauses, contained in point 7:

The standard contractual clauses may only be used for such data transfers to the extent that the processing by the data importer does not fall within the scope of Regulation (EU) 2016/679.

This recital would mean that the standard contractual clauses would always not have to be concluded if, for example, a US Cloud service falls under the GDPR. This would be the case, for example, if Dropbox, Microsoft Cloud or Google Cloud were also aimed at EU citizens. If an EU company then stores customer data in this Cloud, for example, no standard contractual clauses could / would have to be concluded with Dropbox, Microsoft or Google. However, this result contradicts the wording of Art. 44 et seq. GDPR, which does not provide for such an exception in the case of processing in a third country. It is therefore to be hoped that the EU Commission will soon publish an interpretation aid for its erratic interpretation guidelines.

This means that you must become active and take the following measures:

  • Take stock in your own company – check whether data of customers, users, members, etc. are processed in third countries and especially in the USA (or by companies located in these countries).
  • Take stock of subcontractors – It must also be checked whether subcontractors and service providers, e.g. the web host or accounting service, use providers from third countries / USA (e.g. rent servers from Amazon Webservices).
  • Request for new standard contractual clauses – Third country providers must be asked to provide the new standard contractual clauses (alternatively, although less common, standard contractual clauses can be provided to them for review and signature). Similarly, subcontractors must be asked whether corresponding standard contractual clauses have in turn been concluded with their subcontractors in third countries (ideally, copies should be requested).
  • Request for security measures – The providers from third countries must be asked to name the security measures with which the special risks of the third-country transfer are mitigated (e.g. encryption, server location in the EU, pseudonymisation). Subcontractors must also be asked whether their subcontractors from third countries have provided evidence of corresponding security measures (ideally, they should also be asked to provide a list and copies of the confirmations).
  • Checking the standard contractual clauses – you must check that the modules of the standard contractual clauses are correctly selected, that their text has not been modified and that the annexes are properly completed.
  • Verification of the level of data privacy – You must verify, on the basis of the notified security measures, whether a sufficient level of data privacy is ensured for the respective processing of the data by service providers and subcontractors.
  • Logging – you must record the audit procedures for evidence purposes (e.g. in a table with providers, times of requests, results and justification of your audit result).


Even though the end of 2022 is still far in the future, you should urge your contractual partners to replace the standard contractual clauses as soon as possible. Especially because the new standard contractual clauses implement the demands of the data privacy supervisory authority to supplement the previous clauses as a result of the ECJ’s case law on US data transfers. It can therefore be assumed that supervisory authorities will very soon declare the use of US providers on the basis of old standard contractual clauses to be inadmissible.

The Federal Commissioners for Data Privacy and Freedom of Information (BfDI) published on 29.06.2021 that the European Commission will adopt the adequacy decisions for transfers of personal data to the United Kingdom under the General Data Privacy Regulation (GDPR) and the Law Enforcement Directive (LED) on 28.06.2021.

With the recognition of the adequate level of data privacy, data transfers from the European Economic Area (EEA) to the United Kingdom, within the scope of the Decisions, do not require a specific authorisation. The examination of whether the general data privacy requirements for a data transfer are met is necessary and must be carried out independently of this.

Cyber-attacks are becoming more frequent. The number of attacks is increasing and the headlines are piling up. The risk is not eliminated with outsourcing to the Cloud. Cloud service providers also have to rethink and provide answers to questions about security measures. For companies, outsourcing creates a new interface that must be managed.

Cloud service providers can be assessed and their service quality evaluated on the basis of various standards. In Germany, an assessment according to the BSI C5 Cloud standard or according to the IT expert committee of the IDW (FAIT) number 5 is recommended. Corresponding certificates are provided by auditors. Certificates according to ISAE 3000 or ISAE 3402 should be mentioned here.

In addition to the assessment and the resulting selection of a suitable service provider, it is also important to increase the company’s resistance to damage (resilience).

The pandemic in particular has shown how important digital skills and a functioning digital infrastructure are for SMEs. Never before have technologies been implemented so quickly and become a strategy for functioning business processes in many areas. With the rapid development, data is becoming a central component of value creation. For this reason, it is important that companies develop strategies and measures to sustainably protect their operations against cyber attacks. Entrepreneurs owe this not only to their own company, but also to their customers, because your customers also expect companies to develop confidence-building measures in the digital transformation.

We help you to secure your company with a customised early warning system, comprehensive security measures and forensic analysis methods against threats from the Internet. We want to build and strengthen your cyber resilience and develop a preventive, forward-looking cyber strategy for your company. Internally IT-secure and externally trust-building in the digital transformation.

If you have any questions or need a partner for your cyber strategy, please do not hesitate to contact us.