Standard Contractual Clauses for Data Transfers

Standard Contractual Clauses for Data Transfers

If you send personal data from the EU or UK to countries such as the US, India, or China, you need to follow a legal framework to ensure compliance. Standard contractual clauses are the primary tool that businesses use to legally transfer personal data internationally in compliance with data protection regulations.

These pre-approved contracts from regulators enable you to transfer personal data to third countries, ensuring that the data receives adequate protection measures equivalent to local standards.

But here’s what most businesses get wrong: signing standard contractual clauses isn’t enough anymore. Since the Schrems II ruling, you must also conduct risk assessments and implement additional safeguards when necessary.

Key Takeaways

Standard contractual clauses are pre-approved legal contracts that allow data transfers to countries without adequacy decisions from data protection authorities

You must use the correct version – EU SCCs for European Union data, UK versions for UK data transfers

Every transfer requires a transfer risk assessment to evaluate if the destination country’s laws could undermine the contractual clauses

What Are Standard Contractual Clauses?

Standard contractual clauses are template legal agreements provided by the European Commission and UK regulators, allowing organisations to transfer personal data to third countries outside the European Economic Area.

Their core purpose is simple: to ensure that personal data transfers receive the same level of protection abroad as they would under the EU GDPR or UK GDPR.

Unlike binding corporate rules, which require lengthy regulatory approval processes, standard contractual clauses offer a ready-made solution. You can implement them immediately without waiting for your relevant data protection authority to review your specific transfer arrangements.

These contractual clauses create legally binding obligations for data importers. The receiving organisation must implement appropriate safeguards and grant data subjects the same rights they’d have under European Union or UK data protection laws.

For most organisations handling international data transfers, standard contractual clauses represent the most practical transfer mechanism available.

EU SCCs vs UK SCCs: Which Version Do You Need?

Following Brexit, the EU and the UK developed separate versions of standard contractual clauses. You must use the correct clauses based on where your data originates, not where it’s going.

For Data Leaving the EU

New EU SCCs: The European Commission issued new Standard Contractual Clauses (SCCs) on 4 June 2021. All new contracts since 27 September 2021 must use the new SCCs.

For existing contracts using the old SCCs (those signed before 27 September 2021), the EU allowed a transition period. The critical cutoff was 27 December 2022.

The new SCCS features a modular structure with four different modules:

• Module 1: Controller-to-controller transfers

• Module 2: Controller to processor transfers

• Module 3: Processor-to-processor transfers

• Module 4: Processor to controller transfers

This modular approach enables you to include only the clauses relevant to your specific transfer scenario, whether you’re working within corporate groups or with external data importers.

For Data Leaving the UK

You have two options for transferring personal data from the UK:

1. International Data Transfer Agreement (IDTA): The UK’s standalone version is designed specifically for UK data transfers

2. UK Addendum: A short attachment that converts new EU SCCs into a compliant solution for UK transfers

The UK addendum works particularly well when the same data transfer involves both EU and UK personal data. Instead of managing separate agreements, you can use EU SCCs with the UK addendum attached.

Simple Rule of Thumb

• EU origin data: Use the new EU SCCS (2021 version)

• UK origin data: Use IDTA or EU SCCS plus UK addendum

• EU to UK transfers: Generally, no standard contractual clauses needed due to adequacy decisions

The Schrems II Rule: Why SCCs Alone Aren’t Enough

The landmark Schrems II ruling, issued in July 2020, fundamentally altered the operation of standard contractual clauses. The court found that simply signing these agreements isn’t sufficient if the destination country’s laws could undermine the promised protections.

This ruling specifically targeted US government surveillance laws under FISA 702 and Executive Order 12333, which were deemed incompatible with EU privacy rights.

Transfer Impact Assessments Are Now Mandatory

Every organisation using standard contractual clauses must now conduct and document a transfer impact assessment (for EU transfers) or transfer risk assessment (for UK transfers).

Here’s what this assessment must include:

1. Map your transfer: Document what data you’re sending, to whom, and where it’s going

2. Identify your safeguards: Specify which standard contractual clauses or international data transfer agreement you’re using

3. Assess destination country laws: Evaluate whether local surveillance, law enforcement access, or other legal frameworks could override your contractual protections

4. Implement supplementary measures: Add technical, organisational, or contractual safeguards if you identify risks

5. Document everything: Keep detailed records and update them when relevant laws change

Data protection authorities across multiple jurisdictions now expect organisations to demonstrate these steps during compliance reviews.

Supplementary Measures You Might Need

Common supplementary measures include:

• Technical safeguards: Encryption, pseudonymisation, data minimisation

• Organisational measures: Staff training, access controls, regular audits

• Contractual commitments: Additional privacy warranties, notification requirements

The specific circumstances of your transfer determine which measures are typically required.

When You Need Standard Contractual Clauses: Practical Scenarios

Knowing when standard contractual clauses apply can help companies understand the regulations around international data transfers. 

UK Company Using US Cloud Services

Most US providers don’t have UK adequacy status (except those certified under the UK-US Data Bridge program). If your provider isn’t certified, you’ll need either the IDTA or EU SCCS with UK addendum, plus a transfer risk assessment.

This scenario affects thousands of UK businesses using services like AWS, Google Cloud, or Microsoft Azure for processing personal data.

EU Company Outsourcing to India

India doesn’t have an adequacy decision from the European Commission. Any personal data transfers to Indian processors require new EU SCCs and a comprehensive transfer impact assessment.

Given India’s developing data protection compliance framework, your assessment will likely identify areas requiring supplementary measures. For a broader perspective, consider how DPIA requirements vary across global jurisdictions.

Multinational Operations in China

China presents unique challenges beyond standard contractual clauses. New Chinese regulations require any data transfer agreements to be filed with cybersecurity authorities within 10 business days of signing.

This creates an additional administrative burden on top of standard transfer impact assessment requirements.

When SCCs Aren’t Needed

UK to Canada transfers typically don’t require standard contractual clauses because Canada has UK adequacy status, provided the data importer falls under Canadian privacy law (PIPEDA).

Similarly, transfers between EU member states within the European Economic Area don’t need these agreements.

How GDPRLocal Helps With Standard Contractual Clauses

Managing compliant international data transfers requires expertise across multiple jurisdictions and ongoing updates to regulations. Here’s how we help organisations ensure compliance:

Selecting the Right Framework

We analyse your specific data flows to determine whether you need EU SCCs, the UK addendum, or IDTA for each transfer relationship. This includes mapping intra-group transfers and complex multi-party arrangements.

Conducting Risk Assessments

Our team performs detailed transfer impact assessments and transfer risk assessments that meet regulatory expectations. We evaluate the laws of destination countries, identify potential conflicts, and recommend appropriate supplementary measures.

Implementing Supplementary Measures

When standard contractual clauses alone aren’t sufficient, we help implement technical and organisational safeguards tailored to your risk profile and business needs.

Ongoing Compliance Monitoring

Data protection laws evolve constantly. We track regulatory changes across multiple jurisdictions and update your transfer arrangements when new requirements emerge.

Staff Training and Documentation

We ensure your team understands their obligations under standard contractual clauses and maintain the electronic documents required for regulatory compliance.

Managing Complex Scenarios

For challenging destinations like China or transfers involving multiple jurisdictions, we coordinate compliance across different regulatory frameworks to ensure protection.

Conclusion

Standard contractual clauses provide a practical foundation for international data transfers, but they’re just the starting point. The Schrems II ruling made it clear that thorough risk assessments and appropriate supplementary measures must accompany these agreements.

With the deadline now passed, organisations using outdated agreements face immediate compliance risks. The regulatory framework continues evolving, making ongoing compliance monitoring essential for any business engaged in cross-border data transfers.

Don’t let outdated contracts or incomplete risk assessments put your business at risk. The parties involved in data transfers all share responsibility for ensuring ongoing compliance with data protection principles.

Unsure if your standard contractual clauses are compliant? Contact GDPRLocal for a complete assessment of your data transfer needs.

Frequently Asked Questions

Are old SCCs from before 2021 still valid for existing contracts?

No. Old EU SCCs became completely invalid in December 2022, even for existing contracts. Organisations must update to new SCCs or face compliance violations. The European Commission provided a transition period that has now expired.

When do I need to conduct a Transfer Impact Assessment?

You must conduct a transfer impact assessment for every transfer using standard contractual clauses. This applies regardless of the destination country and must be completed before the transfer begins. The assessment must be documented and regularly reviewed.

Do I need SCCs for transfers to countries with adequacy decisions?

No. Countries with adequacy decisions from your relevant data protection authority don’t require standard contractual clauses. However, verify that your specific transfer scenario falls within the scope of the adequacy decision, as some have limitations or conditions.