Standard clauses adopted by the Commission
Personal data can also be transferred out of the EU and EEA under the standard contractual clauses (SCC) adopted by the Commission. A transition period set for the adoption of the updated standard clauses ended on 27 December 2022.
The transfer can be based on SCCs if both parties are contractually bound to observe them.
SCCs can be used for transfers
- between two controllers;
- between a controller and processor;
- between a processor and controller; and
- between two processors
The controller determines the purposes and means of the processing of personal data.
The processor processes personal data on behalf of the controller and according to its instructions.
The SCCs specify the obligations of both the exporter and importer of the data related to the protection of personal data.
Using SCCs as a transfer basis does not require the permission of the data protection authorities as long as changes are not made to the content of the SCCs.
When using standard contractual clauses, it must be checked on a case-by-case basis if a level of protection of personal data that meets the EU requirements is guaranteed for the transfer of personal data, and the need for supplementary safeguards must be assessed.
Standard clauses for data transfers to third countries
- SCCs as a tool for data transfers on the Commission website: Standard clauses for data transfers to third countries (Article 46)
Old standard clauses in the EUR-Lex online service:
- Transfer of personal data between two controllers (2001/497/EC)
- Transfer of personal data between two controllers (2004/915/EC)
- Transfer of personal data between a controller and processor (2010/87/EU)
Amendments to the SCCs
The European Commission approved the updated standard clauses in June 2021, and they entered into force on 27 June 2021. An 18-month transition period was set for the adoption of the updated standard clauses. The transition period ended on 27 December 2022. The new standard clauses for the transfer of personal data to third countries replace the previous standard clauses for international transfers of data.
The standard clauses were updated to correspond to the requirements of the Schrems II decision issued by the CJEU. The Commission has developed questions and answers to provide practical guidance on the use of the SCCs:
Transfer of personal data from a controller to a processor
If personal data is transferred from a controller to a processor of personal data, both parties are also required to comply with the GDPR’s requirements concerning the use of processors (Article 28). These requirements are taken into account in the new standard clauses for transfers of data.