Standard clauses adopted by the Commission
Personal data can also be transferred out of the EU and EEA under the standard contractual clauses (SCC) adopted by the Commission.
The transfer can be based on SCCs if both parties are contractually bound to observe them.
SCCs can be used for transfers
- between two controllers; or
- between a controller and processor.
The controller determines the purposes and means of the processing of personal data.
The processor processes personal data on behalf of the controller and according to its instructions.
The SCCs specify the obligations of both the exporter and importer of the data related to the protection of personal data.
Using SCCs as a transfer basis does not require the permission of the data protection authorities as long as changes are not made to the content of the SCCs.
Standard contractual clauses on EUR-Lex' web service
- Transfer of personal data between two controllers (2001/497/EC)
- Transfer of personal data between two controllers (2004/915/EC)
- Transfer of personal data between a controller and processor (2010/87/EU)
Future amendments to the SCCs
The SCCs can be used as a transfer basis for personal data, even though the Commission has adopted them before the entry into force of the General Data Protection Regulation. The Commission is planning an update to the clauses, however. Further information on the amendments to the SCCs will be published on the website of the Office of the Data Protection Ombudsman as it becomes available.
Transfer of personal data from a controller to a processor
If personal data is transferred from a controller to a processor of personal data, both parties are also required to comply with the GDPR’s requirements concerning the use of processors (Article 28). Read more about the responsibilities of processors
The processing carried out by a processor to be defined in an agreement or other binding legal document between the processor and controller. The agreement confirms the object, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller.