Standard clauses adopted by the Commission
Personal data can also be transferred out of the EU and EEA under the standard contractual clauses (SCC) adopted by the Commission.
The transfer can be based on SCCs if both parties are contractually bound to observe them.
SCCs can be used for transfers
- between two controllers; or
- between a controller and processor.
The controller determines the purposes and means of the processing of personal data.
The processor processes personal data on behalf of the controller and according to its instructions.
The SCCs specify the obligations of both the exporter and importer of the data related to the protection of personal data.
Using SCCs as a transfer basis does not require the permission of the data protection authorities as long as changes are not made to the content of the SCCs.
Standard contractual clauses on EUR-Lex' web service
- Transfer of personal data between two controllers (2001/497/EC)
- Transfer of personal data between two controllers (2004/915/EC)
- Transfer of personal data between a controller and processor (2010/87/EU)
Amendments to the SCCs
The standard contractual clauses are currently being updated. Until further notice, the current standard contractual clauses can be used as the basis for transferring personal data, until the new standard contractual clauses are approved. When using standard contractual clauses, it must be checked on a case-by-case basis if a level of protection of personal data that meets the EU requirements is guaranteed for the transfer of personal data, and the need for supplementary safeguards must be assessed.
The European Commission has published drafts of new standard contractual clauses that apply to the transfer of personal data to third countries as well as the processing agreements between the controllers and processors of personal data.
The new standard contractual clauses on the transfer of personal data to third countries will replace the current standard contractual clauses on international data transfers. The standard contractual clauses on processing agreements are completely new. The European Data Protection Board and the European Data Protection Supervisor have published joint opinions on the new standard contractual clauses of the Commission (on EDPB's website). We will issue a notification on our website when additional information about the updated standard contractual clauses becomes available.
Transfer of personal data from a controller to a processor
If personal data is transferred from a controller to a processor of personal data, both parties are also required to comply with the GDPR’s requirements concerning the use of processors (Article 28). Read more about the responsibilities of processors
The processing carried out by a processor to be defined in an agreement or other binding legal document between the processor and controller. The agreement confirms the object, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller.