Guernsey Data Protection Agency approves new EU Standard Contractual Clauses – Data Protection



Guernsey: The Guernsey Data Protection Authority approves new EU Standard Contractual Clauses

To print this article, all you need to do is register or log in to

The Office of the Data Protection Authority (“ODPA“) in Guernsey, the European Commission (the”Commission“) new standard contractual clauses (“New SCCs“) for the international transfer of personal data to” third countries “that have not yet passed any data protection laws equivalent to the EU General Data Protection Regulation (“GDPR“) and are therefore not yet considered” appropriate. “The ODPA has also published a helpful technical update on international data transfers that contains the current list of legal systems with appropriateness.

The new SCCs have a transition period and controllers and processors must transfer all existing contracts to the new SCCs by December 27, 2022.

Click here to view the article


Guernsey was one of the first jurisdictions outside the EU to enact data protection laws equivalent to GDPR. Pursuant to the Data Protection Act (Bailiwick of Guernsey) of 2017, as amended (the “DP law“), if a controller or processor in Guernsey transfers personal data to a person who is located in a” third country “that has not yet passed data protection laws that the Commission considers to be equivalent to the GDPR, the controller / processor must ensure that one or more guarantees are in place so that individuals can enforce their rights against the controller / processor.

One and probably the most important of these legal guarantees is that the controller / processor ensures that there is a contract between the transmitter and the recipient of the personal data that covers certain matters stipulated in the Data Protection Act in order to guarantee permanent protection of the personal data.

The Commission had “Standard Contractual Clauses” (“SCCs“) that could be used for this purpose, and Guernsey had adopted these SCCs.

The Schrems II case

In July 2020 the Court of Justice of the European Union (“ECJ“) in its Schrems II decision (case C-311/18) it is doubtful whether transfers of personal data to persons in third countries can always take place using the SCCs. The ECJ found that the SCCs as a transmission mechanism, however, required some work because a person transferring data to a third country could not rely solely on the SCCs; this person also had to assess the degree of compliance by the third country with the GDPR and ensure that the third country had an equivalent level of data protection as the GDPR.

This means that the data recipient in the third country must be obliged to inform the data controller / processor exporting the data about any obstacles in compliance with the SCCs. If the laws of the third country do not fully comply with the GDPR due to laws or regulations of third countries, the data exporter must stop the data transfer and terminate the contract. If the data exporter violates his obligations under the SCCs, the lead supervisory authority (the ODPA for Guernsey) must intervene and prohibit the exchange of data.

The new SCCs

The new SCCs issued by the Commission take into account and reflect the Schrems II judgment and guarantee a higher level of data protection. However, before the new SCCs could be adopted and relied on by Guernsey companies transferring data to a third country, they had to be approved by the ODPA. This has now happened.

Guernsey companies that transfer personal data internationally or intend to transfer personal data internationally to a third country should review their existing contractual arrangements, especially if they rely on the SCCs, to ensure that neither after the Schrems II ruling nor after the acceptance gaps exist in the new SCCs. A transition period applies to the new SCCs and those responsible for processing and contract processors must use the previous SCCs in new contracts by 27.

About Walkers’ privacy practices

Walkers has a dedicated, experienced data protection group that can provide bespoke privileged legal advice and advice in connection with all aspects of the Channel Islands data protection regulations, including assistance with preparing or amending international data transfer agreements.

The content of this article is intended to provide general guidance on the subject. Expert advice should be sought regarding your specific circumstances.

POPULAR ARTICLES ON: Privacy from Guernsey

Asia Pacific Ransomware: How to Prepare

Hogan Lovells

Ransomware attacks are increasing in the Asia-Pacific region and are one of the most significant operational risks for businesses in the region.



Comments are closed.