According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (SCCs) – that have been “pre-approved” by the European Commission.
On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).
These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. Since 27 September 2021, it is no longer possible to conclude contracts incorporating these earlier sets of SCCs.
Until 27 December 2022, controllers and processors can continue to rely on those earlier SCCs for contracts that were concluded before 27 September 2021, provided that the processing operations that are the subject matter of the contract remain unchanged.
The Commission developed Questions and Answers (Q&As) to provide practical guidance on the use of the SCCs and assist stakeholders in their compliance efforts under the General Data Protection Regulation (GDPR). These Q&As are based on feedback received from various stakeholders on their experience with using the new SCCs in the first months after their adoption. The Q&As are intended to be a ‘dynamic’ source of information and will be updated as new questions arise.
EU and ASEAN develop joint guidance on the use of model clauses for data transfers
Several organisations and third countries are developing or have issued their own model contractual clauses on the basis of converging principles that are also shared by the EU SCCs. The Commission is intensifying its cooperation with these international partners to further facilitate data transfers between different regions of the world on the basis of such contractual instruments. ASEAN (the Association of Southeast Asian Nations) is a key partner in this respect. Together with ASEAN, the Commission has developed a Guide that identifies commonalities between the EU standard contractual clauses and ASEAN model contractual clauses, to assist companies present in both jurisdictions with their compliance efforts under both sets of clauses. This Guide will be complemented with best practices from companies that use these contractual instruments for transferring data.
- Ard-Stiúrthóireacht um Cheartas agus Tomhaltóirí
Standard contractual clauses for international transfers
Modernised standard contractual clauses for the transfer of personal data to third countries