Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries
(EU GDPR Compliant, Controller to Controller)

Summary

These template clauses contain "module one" of EU Standard Contractual Clauses (Model Clauses or SCCs) introduced by Commission Implementing Decision (EU) 2021/914 (2021 EU SCCs) for transfer of personal data from a data controller subject to EU GDPR to a data controller outside the EEA not subject to EU GDPR. This clause includes practical guidance, drafting notes, and alternate clauses. Chapter V of the EU's General Data Protection Regulation (EU) 2016/679, EU GDPR (EU GDPR) restricts transfers of personal data outside the EEA (or to certain international organisations) unless one of limited number of appropriate transfer mechanisms is in place. SCCs are one of the mechanisms that may be used to help legitimise otherwise restricted international transfers under the EU GDPR. These template SCCs may be used for international transfers outside the EEA from a controller to another controller. Article 46(2)(c) of Regulation (EU) 2016/679, EU GDPR. SCCs available under the EU GDPR SCCs that may be used to transfer personal data outside the EEA in compliance with Chapter V (Transfers of personal data to third countries or international organisations) of the EU GDPR are: • "Module one" of the 2021 EU SCCs for controller to controller transfers, which this clause template is based on • "Module two" of the 2021 EU SCCs for controller to processor transfers, see Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Controller to Processor) • "Module three" of the 2021 EU SCCs for processor to processor transfers, see Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Processor to Processor) • "Module four" of the 2021 EU SCCs for processor to controller transfers, see templates Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Processor to Controller) (Processor Does Not Combine with Personal Data Collected by it in EEA) or Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Processor to Controller) (Processor Combines with Personal Data Collected by it in EEA) (as appropriate). Commission Decision (EU) 2021/914. Note that the SCCs that were available before 2021 (pre-2021 SCCs), have not been capable of inclusion in new contracts concluded after 26 September 2021, and those already relied on at that date could only continue to be used to provide appropriate safeguards for international transfers under the EU GDPR until 27 December 2022. Those pre-2021 SCCs consisted of: • Set I—controller to controller SCCs from Commission Decision 2001/497/EC (that set was rarely used as the 2004 set is usually preferred) • Set II—controller to controller SCCs from Commission Decision 2004/915/EC • Set II—controller to processor SCCs from Commission Decision 2010/87/EU Minor modifications in these template clauses as compared with the published 2021 EU SCCs In the absence of guidance to the contrary, this template includes some minor formatting changes to the 2021 EU SCCs, many of which are broadly in-line with the sorts of minor formatting changes the UK Information Commissioner's Office (ICO) previously made to its template versions of the pre-2021 SCCs when making those available for organisations. Examples of such changes include: • Certain sub-clause headings (e.g., (a), (i) etc.) and text indicating options are in bold for emphasis • The details of the exporter(s)/importer(s) in Part of Annex have been put into boxes • Page numbers have been added • The original clause numbering included in the SCCs has been preserved. In order to accomplish this, it is assumed that any blank clauses (e.g., clause or optionally clause in this template) will be indicated as "[Not used]" • We will keep this approach under review and adapt it as appropriate based on future guidance. Limited guidance The Commission has published "questions and answers" addressing certain aspects of the 2021 EU SCCs. See Commission—New standard contractual clauses: questions and answers. There is uncertainty regarding how a number of provisions and aspects of the 2021 EU's SCCs should be interpreted or applied in practice. It is hoped that the Commission will release further guidance (e.g., FAQs). These drafting notes will be supplemented with additional information based on such guidance and emerging market practice in due course. Whether one set of SCCs can include multiple modules These template clauses only includes provisions from module one. In its opinion on the draft SCCs, the EDPB noted that: "It is not clear whether one set of the SCCs can include several modules in practice to address different situations, or whether this should amount to the signing of several sets of the SCCs. In order to achieve maximum readability and easiness in the practical application of the SCCs, the EDPB… suggest that the European Commission provides additional guidance (e.g. in the form of flowcharts, publication of Frequently Asked Questions (FAQs), etc.). In particular, it should be made clear that the combination of different modules in a single set of SCCs cannot lead to the blurring of roles and responsibilities among the parties." See EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries. Clause 2 of the final SCCs added a reference to the parties being able to modify the Clauses to "select the appropriate Module(s)". However, Recital 10 of the Commission's Implementing Decision refers to single modules being selected and states that organisations should "select the module applicable to their situation". Commission Decision (EU) 2021/914. Guidance issued by the Commission states that where the parties have different roles (e.g., controller and processor) for direct data transfers they should use the appropriate module for each such transfer: For example, for some data transfers by a controller (data exporter), the data importer may act as a controller, whereas it may be a processor for others. In that case, the parties may use both Module 1 (for those transfers for which both the data exporter and data importer act as controllers) and Module 2 (for those transfers for which the data exporter acts as controller and the data importer as processor). Requirement to undertake a "transfer impact assessment" and ensure compliance with Schrems II All SCCs may only be used where it has been confirmed, based on a case-by-case assessment, that an appropriate level of protection is provided for the personal data in the circumstances (a "transfer impact assessment"). Use of this module in joint controllers' arrangements Under the EU GDPR regime, joint controllers are defined as two or more controllers that jointly determine the purposes and means of processing. Where there is joint controllership, Article 26 of the EU GDPR imposes additional obligations and requires specific arrangements to be put in place. In its opinion on the draft version of the 2021 EU SCCs, the EDPB noted that module one (based on its assessment) seemed to only cover transfers between independent controllers and called on the Commission to clarify if it could also be used in joint controllership scenarios. Unfortunately this point has not been clarified in the final version, which makes no reference to joint controllers or the requirements of Article 26.See EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries. In our view, it seems reasonable to assume that the Commission, having sought to cover a multitude of transfer scenarios in the 2021 EU SCCs, did intend for this module one to be capable of use in joint controller arrangements. However, it will always be necessary to consider what additional terms are required in the contract to comply with any particular requirements of the EU GDPR, including Article 26 (joint controllers), in the specific circumstances of the transfer. Execution of the SCCs Unlike the pre-2021 SCCs, the 2021 EU SCCs do not include specific template execution blocks (see, for example, after clause 12 of the 2010 controller to processor SCCs). The signature blocks in Annex may not meet the necessary formalities required under local law, depending on the applicable local law and circumstances. Therefore, if the SCCs are to be executed separately, it is assumed that appropriate execution clauses must be included as appropriate depending on the nature of the parties and applicable law. Local law advice should be taken as appropriate. In practice, the 2021 EU SCCs are capable of inclusion in a wider contract (e.g., as a schedule or addendum that is appropriately incorporated into the executed agreement). It is perhaps more likely that organisations will choose to adopt that approach rather than separately executing the SCCs. Even if the 2021 EU SCCs are incorporated it a wider contract, it is assumed that the signature lines in Annex must still be signed and completed as appropriate. Relationship with the UK GDPR The United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) regime, rather than the EU GDPR, is applicable under UK law. The UK GDPR is heavily derived from the EU GDPR and generally the terms and core concepts used in the UK GDPR have the same meaning as they do in the EU GDPR, although there are a number of key detailed differences between the two regimes including in respect of restrictions on international transfers. Chapter V of the UK GDPR restricts transfers of personal data outside the UK (or to certain "international organisations"). It is possible to use these template clauses (and the other 2021 EU SCCs) as a basis for personal data transfers outside the UK under the UK GDPR provided that a further model addendum approved by the ICO is also entered into to adapt the SCCs for the UK GDPR. For additional GDPR resources, see General Data Protection Regulation (GDPR) Overview Resource Kit. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy.