Standard contractual clauses for data transfers between EU and non-EU countries.
According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (SCCs) – that have been “pre-approved” by the European Commission.
On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).
These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46.
The Commission developed Questions and Answers (Q&As) to provide practical guidance on the use of the SCCs and assist stakeholders in their compliance efforts under the GDPR. These Q&As are based on feedback received from various stakeholders on their experience with using the new SCCs in the first months after their adoption. The Q&As are intended to be a ‘dynamic’ source of information and will be updated as new questions arise.
The Commission is in the process of developing additional sets of SCCs for data transfers to third countries by EU institutions and bodies, and for data transfers to controllers or processors outside the EU whose processing operations are directly subject to the GDPR.
Several organisations and third countries are developing or have issued their own model contractual clauses on the basis of converging principles that are also shared by the EU SCCs.
Some jurisdictions have endorsed the EU SCCs as a transfer mechanism under their own national data protection legislation, with limited formal adaptations to their domestic legal order (e.g. the United Kingdom and Switzerland .
Others have developed model clauses that share a number of commonalities with the EU SCCs. This for instance includes:
- the Model Contractual Clauses for transborder data flows of personal data developed on the basis of Convention 108+ by the Council of Europe Consultative Committee of Convention 108,
- the Model Contractual Clauses developed by the Ibero-American Data Protection Network, as well as the accompanying implementation Guide ,
- the ASEAN Model Contractual Clauses for Cross Border Data Flows developed by the Association of Southeast Asian Nations,
- as well as clauses developed at national level, e.g. in New Zealand , Argentina , and the United Kingdom .
The Commission is intensifying its cooperation with international partners to further facilitate data transfers between different regions of the world on the basis of model clauses. ASEAN (the Association of Southeast Asian Nations) is a key partner in this respect. Together with ASEAN, the Commission has developed a Guide on the EU standard contractual clauses and ASEAN model contractual clauses, to assist companies present in both jurisdictions with their compliance efforts under both sets of clauses. The Guide identifies the commonalities between the two sets of clauses and provides non-exhaustive examples of best practices companies can consider to operationalise safeguards required under the clauses.
Modernised standard contractual clauses for the transfer of personal data to third countries