Standard contractual clauses

The standard contractual clauses (SCCs) are model data protection clauses, approved by the UK, which allow for the international transfer of personal data (eg names, addresses and information about racial/ethnic origin). 

The Information Commissioner's Office (ICO) approves the use of model clauses as a means of ensuring adequacy. However, this approval only extends to the use of the model clauses as they stand with additional contractual language added to them that doesn't contradict them in any way.

Personal data can be transferred internationally by an organisation (known as the ‘data exporter’) provided that the organisation receiving the personal data (known as the ‘data receiver’) has adequate safeguards in place. Incorporating the SCCs into an agreement acts as such a safeguard, allowing for the international transfer of personal data.

The SCCs are used for transfers of personal data to ‘restricted third countries' only (eg the USA, Canada and Australia). As the UK has adopted adequacy decisions regulation for the European Economic Area (EEA) and the EU has adopted an adequacy decision for the UK, the SCCs are not needed to transfer personal data from the UK to the EEA, nor are the EU SCCs needed for transfers from the EEA to the UK. For these transfers, a Data processing agreement (DPA) should be used if there is data processing (eg obtaining or recording). If no data processing is taking place, a data sharing agreement should be used.

For more information on DPAs, read Data processing agreements.

Exceptions

The SCCs should not be used where the transfer is covered by an exception. The UK General Data Protection Regulations (GDPR) sets out several exceptions under which data can be transferred without the need for an adequacy decision or other safeguards, like the SCCs. The GDPR sets out the following exceptions:

• explicit consent - the data subject (ie the individual to whom the data relates) has explicitly consented to the transfer in question. The data subject must be able to withdraw consent at any time

• performance of a contract - the transfer is necessary to perform a contract with the data subject or to ‘take steps’ at the request of the data subject towards entering into a contract. Any transfers under this exception must only be occasional (ie the transfer may happen more than once but not regularly)

• performance of a contract that benefits another individual - the transfer is necessary to perform a contract with a data subject that benefits another individual whose data is being transferred (eg a family member). Any transfers under this exception must only be occasional (ie the transfer may happen more than once but not regularly). Public authorities cannot rely on this exception when exercising their public powers

• public interest - the transfer is necessary for the performance of a task in the public interest

• legal claims - the transfer is necessary to establish if the organisation has a legal claim, to make a legal claim or to defend a legal claim. Any transfers under this exception must only be occasional (ie the transfer may happen more than once but not regularly)

• protection of vital interests - the transfer is necessary to protect someone’s life. Here, the risk of serious harm to the individual must outweigh any data protection concerns. Where the data subject is capable of giving consent, this exception cannot be relied on

• transfer from a public register - a transfer made from a register created under UK law that is open to either the public in general or any person who can demonstrate a legitimate interest. For example, the company register on Companies House. This exception doesn't cover registers run by private companies (eg credit reference databases)

• legitimate interest - the transfer is necessary for the organisation’s legitimate interests unless there is good reason to protect the personal data which overrides those legitimate interests. Where this is the case, a legitimate interest assessment will need to be carried out. Note that this exception should not be relied on lightly and never routinely as it is only for truly exceptional circumstances

For more detailed guidance on these exceptions, read the ICO’s guidance.

Before the SCCs can be used to make a transfer of personal data the data exporter must carry out a transfer risk assessment. Such a transfer risk assessment must take into account the data protections contained within the SCCs and the legal framework (including laws governing public authority access to the data) of the country the data receiver is located in. For more information, read the ICO guidance and Ask a lawyer if you have any questions or require a bespoke document drafted.

Since 1 January 2021, the UK has been able to produce its own SCCs for transfers made from the UK. Consequently, the UK’s new International Data Transfer Agreement (IDTA) and the Addendum to the ‘new’ EU SCCs were introduced on 21 March 2022. 

The International Data Transfer Agreement (IDTA)

On 4 June 2021, the European Commission published new SCCs (the ‘new EU SCCs’) under the EU’s GDPR. The IDTA is the UK’s equivalent of the new EU SCCs. Like the ‘old’ SCCs, the IDTA covers data transfers from the UK to countries outside of the UK. 

The International Data Transfer Addendum (Addendum)

The Addendum attaches to and incorporates the ‘new’ EU SCCs into contracts or data transfers from the UK to countries outside of the UK. The Addendum can be used to incorporate and modify the ‘new’ EU SCCs so that they can be used for data transfers outside of both the UK and the EU. This provides a time-saving option if you’re transferring data out of the EU anyway, as it doesn’t require aspects of the new EU SCCs to be repeated for the UK part of the transfer. 

The ‘old’ SCCs

The ‘old’ SCCs refer to the UK’s standard contractual clauses, based on the EU’s old SCCs. 

There are two sets of model clauses. One governs controller-to-controller transfers and the other controller-to-processor transfers. 

Controller-to-controller transfers take place when a data controller transfers personal data to another data controller. Data controllers are the main decision-makers. They decided on the purposes for and means of processing personal data. In other words, the data controller is the person who says how and why personal data is processed.

Controller-to-processor transfers take place when a data controller transfers personal data to a processor. A data processor carries out the instructions of the data controller in its processing of personal data. In other words, the data processor is the party acting on behalf of, and only on the instructions of, the data controller. 

As of 21 September 2022, to safeguard data transfers out of the UK that are taking place under new contracts, parties must use either: 

• the IDTA, or

• the new EU SCCs and the UK’s Addendum

Data processing taking place under contracts entered on or before 21 September 2022 that is safeguarded by the old UK SCCs can still rely on the old SCCs until 21 March 2024, provided that there has been no change in the organisation’s processing activities. These organisations must update their agreements no later than 21 March 2024 to use either the IDTA or the new EU SCCs together with the Addendum.

For more information, read International transfers of personal data. If you have any questions or require assistance, Ask a lawyer.