Standard Contractual Clauses

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 22 November 2024.

Standard Contractual Clauses

If you transfer personal data outside of the European Union, you'll need to guarantee it stays protected to the standards set out in the GDPR. For many countries this means you'll need to use a standard contractual clause that's binding on the recipient of the data.

Here's what you need to know about using standard contractual clauses (SCCs).


What are Standard Contractual Clauses?

Standard contractual clauses are pre-written sections of legal text specifically written so they can be copied straight into a specific contract to achieve a particular purpose.

In this article we're looking at the standard contractual clauses written by the European Union for use in data transfer agreements between a sender (data exporter) and recipient (data importer). The purpose is to guarantee the recipient protects personal data to the standards required by the GDPR.

Why GDPR Rules Affect Standard Contractual Clauses

Why GDPR Rules Affect Standard Contractual Clauses

Personal data processed in an EU country comes under the General Data Protection Regulation (GDPR). This involves a wide range of rights for data subjects (the people the data is about) and responsibilities for data processors (the people who collect, use or share the data).

The GDPR includes a general principle about transferring that data to a third country, meaning a country outside of the European Union. (Iceland, Liechtenstein and Norway don't count as third countries because the GDPR already applies there through a legal agreement with the EU).

The principle is that you must use a method specified in the GDPR to make sure you don't undermine the protection that the GDPR gives to data subjects. Transferring the data without using one of the specified methods is a breach of the GDPR.

One of the specific methods is to use standard contractual clauses.

When Do I Need to Use Standard Contractual Clauses?

When Do I Need to Use Standard Contractual Clauses?

You must use standard contractual clauses if you cannot use any of the other methods specified in the GDPR. You can of course choose to use standard contractual clauses even if another method is available.

The most significant other method is to do the transfer on the basis of an adequacy decision. This means transferring the data to a country or territory which the European Commission (the European Union's executive branch) has formally ruled as offering the same level of protection as the GDPR.

At the time of writing, these countries are:

  • Andorra
  • Argentina
  • Canada (commercial organizations only)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Republic of Korea
  • Switzerland
  • United Kingdom (most commercial data use)
  • United States (commercial organizations participating in the EU-U.S. Data Privacy Framework)
  • Uruguay

Most of the other specified methods are restricted to specific circumstances. This includes transfers between public authorities, transfers within a corporate group, and transfers where the third country has an enforceable code of conduct that the EU recognizes as equivalent to the GDPR's protections.

There's also an exemption if the data subject has explicitly consented to the transfer having known and understood that their data will not have the same level of protection in the third country.

For the most part though, if you're transferring data to a business in a country that isn't covered by an adequacy decision, you'll need to use standard contractual clauses.

Are the Rules for Standard Contractual Clauses Different With Data Processors?

The rules are the same for all transfers.

The GDPR puts people and organizations who use personal data into two categories:

  • Data controllers are the people who decide what data is processed and why. They may or may not also do the processing.
  • Data processors work on behalf of a data controller. They process the data in line with the data controller's instructions.

The rules on third country transfers and Standard Contractual Clauses do not distinguish between data controllers and data processors. They apply to any transfer from either a data controller or a data processor in an EU country to either a data controller or a data processor in a third country.

What Must Be in the Standard Contractual Clauses?

What Must Be in the Standard Contractual Clauses?

The European Union has published the full text of the standard contractual clauses. The full text of the clauses is in the "Annex" sections.

Most of the clauses are designed to use in all cases and you should simply insert them into your agreement.

Some clauses have alternative versions depending on which of four situations apply:

  • Transfer from a controller to a controller
  • Transfer from a controller to a processor
  • Transfer from a processor to a processor
  • Transfer from a processor to a controller

You should simply insert the relevant version.

Are There Any Other Requirements When Using Standard Contractual Clauses?

The standard contractual clauses must be legally binding on both sides (the exporter and importer of the data).

To make certain this is the case, the standard contractual clauses conclude with a section ("Annex 1") that includes a specific declaration to this effect.

Both sides must sign this section, provide their contact details, and state their roles (data exporter or importer, data controller or processor).

This is separate to any signature on the overall agreement or contract in which the standard contractual clauses have been inserted.

Can I Change the Standard Contractual Clauses or Write My Own?

Can I Change the Standard Contractual Clauses or Write My Own?

You don't have to use the standard contractual clauses exactly as written, but some changes could affect your compliance with the GDPR.

The GDPR lets you vary the clauses in two ways. Firstly, you can add extra clauses as long as they don't undermine anything in the standard contractual clauses. Secondly, you can leave out anything in the standard contractual clauses that isn't relevant to your situation.

Changing the text of the standard contractual clauses is more problematic. It means you'll no longer automatically comply with the GDPR's requirements to protect data transferred to a third country. Instead, you'll need to prove that your rewritten clauses still offer the required level of protection.

The same applies if you simply write your own contractual clauses covering data transfers. They may still be valid, but the burden is on you to prove they protect the personal data to the required level. You don't get the same automatic compliance that comes with the standard contractual clauses.

Do I Need Standard Contractual Clauses for Internal Transfers?

Do I Need Standard Contractual Clauses for Internal Transfers?

If you are simply transferring the data within your organization or business, you don't need to use any of the specified methods to protect the data. Remember that if you or the data subject is in a European Union country, you must still follow the GDPR even if your business processes the data in a third country.

The GDPR has special rules for transfers between related businesses.

This includes:

  • Two businesses with the same parent company, including international branches
  • A parent company and a subsidiary
  • Two organizations connected in another way that qualifies as a "group of undertakings"
  • Two organizations that are "engaged in a joint economic activity"

In these cases, the organizations don't need a standard contractual clause. Instead, they can protect the data through binding corporate rules.

These must set out:

  • Who is involved in the transfer
  • What the organization receiving the data must do to protect it to GDPR standards
  • The rights of the data subject regarding the recipient processing the data
  • The fact that the rules are binding both within the organizations and in the relevant court systems
  • How both organizations will make sure the rules are followed
  • What happens if a law in the recipient's country might compromise the binding corporate rules

Has Anything Changed With Standard Contractual Clauses?

The European Union rewrote the standard contractual clauses in 2021. Since the end of 2022, only this version can be used. The original versions, issued in the early 2000s, are no longer valid.

To avoid confusion, the EU sometimes refers to the current documents as the "modernized standard contractual clauses."

In theory, the EU is scheduled to publish another revision of the standard contractual clauses in 2025, though this timescale is not confirmed.

Are These the Only Standard Contractual Clauses?

The European Unions does also issue standard contractual clauses for the wider legal agreements between data controllers and data processors.

These cover the processing itself rather than any data transfers. They are designed as an easy way for the data controller to show they've taken the necessary steps under the GDPR to make sure data processors protect the relevant data.

Summary

The GDPR says you can only transfer personal data outside of the EU if you can guarantee it will remain protected in the same way. If the country isn't covered by an "adequacy decision" you'll need to prove you've got this guarantee.

The easiest way is to use the standard contractual clauses. These are model clauses written by the EU that legally bind the recipient to protect the data.

You simply need to copy the clauses into your contract with the recipient, leaving out any irrelevant sections. You also need both sides to sign a specific section ("Annex 1") that confirms the clauses are legally binding.

You are legally allowed to alter the standard contractual clauses or write your own clauses, but this doesn't offer the same automatic compliance with the GDPR. Instead, you'll need to prove your clauses have the necessary effect.