Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries
(EU GDPR Compliant, Processor to Controller) (Processor Combines with Personal Data Collected by it in EEA)

Summary

These clauses contain "module four" of the EU Standard Contractual Clauses (Model Clauses or SCCs) introduced by Commission Implementing Decision (EU) 2021/914 (2021 EU SCCs). These clauses contain practical guidance, drafting notes, and optional clauses. This version is adapted for the transfer of personal data from a data processor subject to EU's the General Data Protection Regulation (EU) 2016/679, EU GDPR to a data controller established outside the EEA that is not subject to the EU GDPR where the EEA processor combines the personal data received from the third country controller with personal data collected by the processor in the EEA. You should instead use Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Processor to Controller) (Processor Does Not Combine with Personal Data Collected by it in EEA) if the EEA processor does not (and will not) combine the personal data received from the third country controller with personal data collected by the processor in the EEA. Chapter V of the EU GDPR restricts transfers of personal data outside the EEA (or to certain "international organisations") unless one of limited number of appropriate transfer mechanisms is in place. See Article 46(2)(c) of Regulation (EU) 2016/679, EU GDPR. SCCs are one of the mechanisms that may be used to help legitimize otherwise restricted international transfers under the EU GDPR. These template SCCs may be used for international transfers outside the EEA from a processor to a controller. SCCs available under the EU GDPR SCCs that may be used to transfer personal data outside the EEA in compliance with Chapter V (Transfers of personal data to third countries or international organisations) of the EU GDPR are: • "Module one" of the 2021 EU SCCs for controller to controller transfers, see Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Controller to Controller) • "Module two" of the 2021 EU SCCs for controller to processor transfers, see Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Controller to Processor) • "Module three" of the 2021 EU SCCs for processor to processor transfers, see Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Processor to Processor) • "Module four" of the 2021 EU SCCs for processor to controller transfers, which this template is based on, as adapted for a situation where the EEA processor combines the personal data received from the third country controller with personal data collected by the processor in the EEA. You should instead use Standard Contractual Clauses (SCCs) for Transfer of Personal Data to Third Countries (EU GDPR Compliant, Processor to Controller) (Processor Does Not Combine with Personal Data Collected by it in EEA) if the EEA processor does not (and will not) combine the personal data received from the third country controller with personal data collected by the processor in the EEA. • Commission Decision (EU) 2021/914 • Commission Decision 2001/497/EC • Commission Decision 2004/915/EC • Commission Decision 2010/87/EU Modifications to the SCCs Clause 2 of the 2021 EU SCCs states that organisations are permitted to: • Include the SCCs in a wider contract –and/or– • Add other clauses or additional safeguards provided the resulting arrangements do not contradict, directly or indirectly, the 2021 EU SCCs or prejudice the fundamental rights or freedoms of data subjects. Otherwise, the 2021 EU SCCs may not be modified if they are to be relied on as an appropriate safeguard, except to select the appropriate module(s) or to add or update information in the appendix. Practitioners have generally sought to enter into SCCs with little or no change (e.g., even avoiding making corrections to minor inconsistencies or typos). Minor modifications in this precedent as compared with the published 2021 EU SCCs In the absence of guidance to the contrary, this template includes some minor formatting changes to the 2021 EU SCCs, many of these are broadly in-line with the sorts of minor formatting changes the UK Information Commissioner's Office (ICO) made by a supervisory authority on a previous occasion (specifically the UK Information Commissioner's Office (ICO), while the UK was still part of the EU, when it made template versions of the pre-2021 SCCs available on its website with some common-sense formatting amendments). Examples of such changes include: • The footnotes have been extracted and presented as a separate list (and renumbered) at the end of the main clauses and there are some minor adjustments to the layout (each similar to approaches the ICO took in its template pre-2021 SCCs) • Certain sub-clause headings (e.g., (a), (i), etc.) and text indicating options are in bold for emphasis • The details of the exporter(s)/importer(s) in Part of Annex have been put into boxes • Page numbers have been added • The original clause numbering included in the SCCs has been preserved. In order to accomplish this, it is assumed that any blank clauses (e.g., clauses , , and optionally clause in this template) will be indicated as "[Not Used]" • Annexes, and parts of Annexes, that are not used (e.g., Part C (Competent supervisory authority) of Annex and the whole of Annexes II and III are wholly omitted) We will keep this approach under review and adapt it as appropriate based on future guidance. Limited guidance The Commission has published "questions and answers" addressing certain aspects of the 2021 EU SCCs. See Commission—New standard contractual clauses: questions and answers. There is uncertainty regarding how a number of provisions and aspects of the 2021 EU's SCCs should be interpreted or applied in practice. It is hoped that the Commission will release further guidance (e.g., FAQs). These drafting notes will be supplemented with additional information based on such guidance and emerging market practice in due course. Whether one set of SCCs can include multiple modules The Commission has published "questions and answers" addressing certain aspects of the 2021 EU SCCs. This template only includes provisions from module four as adapted for situations where the EEA processor combines the personal data received from the third country controller with personal data collected by the processor in the EEA. In its opinion on the draft SCCs, the EDPB noted that: It is not clear whether one set of the SCCs can include several modules in practice to address different situations, or whether this should amount to the signing of several sets of the SCCs. In order to achieve maximum readability and easiness in the practical application of the SCCs, the EDPB… suggest that the European Commission provides additional guidance (e.g., in the form of flowcharts, publication of Frequently Asked Questions (FAQs), etc.). In particular, it should be made clear that the combination of different modules in a single set of SCCs cannot lead to the blurring of roles and responsibilities among the parties. See EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries. Clause 2 of the final SCCs added a reference to the parties being able to modify the Clauses to "select the appropriate Module(s)". However, Recital 10 of the Commission's Implementing Decision refers to single modules being selected and states that organisations should "select the module applicable to their situation". See Commission Decision (EU) 2021/914. Guidance issued by the Commission states that where the parties have different roles (e.g., controller and processor) for direct data transfers they should use the appropriate module for each such transfer: For example, for some data transfers by a controller (data exporter), the data importer may act as a controller, whereas it may be a processor for others. In that case, the parties may use both Module 1 (for those transfers for which both the data exporter and data importer act as controllers) and Module 2 (for those transfers for which the data exporter acts as controller and the data importer as processor). Requirement to undertake a "transfer impact assessment" and ensure compliance with Schrems II All SCCs may only be used where it has been confirmed, based on a case-by-case assessment, that an appropriate level of protection is provided for the personal data in the circumstances (a transfer impact assessment). Execution of the SCCs Unlike the pre-2021 SCCs, the 2021 EU SCCs do not include specific precedent execution blocks. The signature blocks in Annex may not meet the necessary formalities required under local law, depending on the local law and circumstances. Therefore, if the SCCs are to be executed separately, it is assumed that execution clauses must be included as appropriate depending on the nature of the parties and applicable law. Local law advice should be taken as appropriate. In practice, the 2021 EU SCCs are capable of inclusion in a wider contract (e.g., as a schedule or addendum that is appropriately incorporated into the executed agreement). It is perhaps more likely that organisations will choose to adopt that approach rather than separately executing the SCCs. Even if the 2021 EU SCCs are incorporated in a wider contract, it is assumed that the signature lines in Annex must still be signed and completed as appropriate. Relationship with the UK GDPR The United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR) regime (rather than the EU GDPR) is applicable under UK law. The UK GDPR is heavily derived from the EU GDPR and generally the terms and core concepts used in the UK GDPR have the same meaning as they do in the EU GDPR, although there are a number of key detailed differences between the two regimes including in respect of restrictions on international transfers. It is possible to use these template clauses (or the other 2021 EU SCCs) as a basis for personal data transfers outside the UK under the UK GDPR provided that a further model addendum approved by the ICO is also entered into to adapt the SCCs for the UK GDPR. For additional GDPR resources, see General Data Protection Regulation (GDPR) Overview Resource Kit. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy.