Profile information Account settings
Logout
Help Contact us
Sign up Log in
Help Contact us

Standard contractual clauses

Transfers of personal data to recipients outside the UK (ie a 'third country') is prohibited under the law on data protection unless certain safeguards are put in place. One such safeguard is the standard contractual clauses. Read this guide to find out more.

The standard contractual clauses (SCCs) are model data protection clauses, approved by the UK, allowing for the international transfer of personal data (eg names, addresses and information about racial/ethnic origin). 

The Information Commissioner's Office (ICO) has approved the use of the model clauses as a means of ensuring adequacy, however, this approval only extends to the use of the model clauses as they stand, with additional contractual language added to them that doesn't contradict them in any way.

Personal data can be transferred internationally by an organisation (known as the ‘data exporter’) provided that the organisation receiving the personal data (known as the ‘data receiver’) has adequate safeguards in place. Incorporating the SCCs into an agreement acts as such a safeguard, allowing for the international transfer of personal data.

The SCCs are used for transfers of personal data to ‘restricted third countries' only (eg the USA, Canada and Australia). As the EU has adopted adequacy decisions about the UK, the SCCs are not needed to transfer personal data from the UK to the EEA, nor are they needed for transfers from the EEA to the UK. For these transfers, a Data processing agreement (DPA) should be used, if there is data processing (eg obtaining or recording). If no data processing is taking place, a data sharing agreement should be used. 

For more information on DPAs, read Data processing agreements.

Exceptions

The SCCs should not be used where the transfer is covered by an exception. The UK General Data Protection Regulations (GDPR) sets out several exceptions under which data can be transferred without the need for an adequacy decision or other safeguards, like the SCCs. The GDPR sets out the following exceptions:

  • explicit consent - the data subject (ie the individual to whom the data relates) has explicitly consented to the transfer in question. The data subject must be able to withdraw consent at any time. 

  • performance of a contract - the transfer is necessary to perform a contract with the data subject or to ‘take steps’ at the request of the data subject before entering into a contract. Any transfers under this exception must only be occasional (ie the transfer may happen more than once but not regularly).

  • performance of a contract that benefits another individual - the transfer is necessary to perform a contract with a data subject that benefits another individual whose data is being transferred (eg a family member). Any transfers under this exception must only be occasional (ie the transfer may happen more than once but not regularly). Public authorities cannot rely on this exception when exercising their public powers.

  • public interest - the transfer is necessary for the performance of a task in the public interest.

  • legal claims - the transfer is necessary to establish if the organisation has a legal claim, to make a legal claim or to defend a legal claim. Any transfers under this exception must only be occasional (ie the transfer may happen more than once but not regularly).

  • protection of vital interests - the transfer is necessary to protect someone’s life. Here, the risk of serious harm to the individual must outweigh any data protection concerns. Where the data subject is capable of giving consent, this exception cannot be relied on.

  • transfer from a public register - a transfer made from a register created under UK law that is open to either the public in general or any person who can demonstrate a legitimate interest. For example, the company register on Companies House. This exception doesn't cover registers run by private companies (eg credit reference databases).

  • legitimate interest - the transfer is necessary for the organisation’s legitimate interests unless there is good reason to protect the personal data which overrides those legitimate interests. Where this is the case, a legitimate interest assessment will need to be carried out. Not that this exception should not be relied on lightly and never routinely as it is only for truly exceptional circumstances.

For more detailed guidance on these exceptions, read the ICO’s guidance.

Before the SCCs can be used to make a transfer of personal data, the data exporter must carry out a transfer risk assessment. Such a transfer risk assessment must take into account the data protections contained within the SCCs and the legal framework (including laws governing public authority access to the data) of the country the data receiver is located in. For more information, read the ICO guidance and Ask a lawyer if you have any questions or require a bespoke document drafted.

Since 1 January 2021, the UK has been producing its own SCCs for transfers made from the UK, and new transfer agreements, which came into force on 21 March 2022.

The ‘old’ SCCs

The ‘old’ SCCs refer to the UK’s standard contractual clauses, based on the EU’s old SCCs. 

There are two sets of model clauses. One governs controller-to-controller transfers and the other controller-to-processor transfers. 

Controller-to-controller transfers take place when a data controller transfers personal data to another data controller. Data controllers are the main decision-makers. They decided on the purposes for and means of processing personal data. In other words, the data controller is the person who says how and why personal data is processed.

Controller-to-processor transfers take place when a data controller transfers personal data to a processor. A data processor carries out the instructions of the data controller in its processing of personal data. In other words, the data processor is the party acting on behalf of, and only on the instructions of, the data controller. 

International Data Transfer Agreement (IDTA)

On 4 June 2021, the European Commission published new SCCs under the EU’s GDPR. The IDTA, which came into force on 21 March 2022, is the UK’s version of the EU’s SCCs (also known as the ‘new EU SCCs’). Like the ‘old’ SCCs, the IDTA will cover transfers from the UK to countries outside of the UK under the UK GDPR.

International Data Transfer Addendum (Addendum)

The Addendum, which came into force on 21 March 2022, attaches to and incorporates the ‘new’ EU SCCs. Once in force, the Addendum can be used to incorporate and modify the ‘new’ EU SCCs so that they can be used for data transfers that are restricted under the UK GDPR.

For contracts entered on or before 21 March 2022, organisations can rely on the ‘old’ SCCs, provided that there has been no change in the organisation’s processing operations. Organisations must update their agreements no later than 21 March 2024 and use either the IDTA or the new EU SCCs together with the Addendum.

For contracts entered into between 21 March and 21 September 2022, organisations can either use the ‘old’ SCCs, the IDTA or the new EU SCCs together with the Addendum.

For contracts entered into on or after 21 September 2022, organisations will need to use the IDTA or the new EU SCCs together with the Addendum.

If you have any questions or require assistance, Ask a lawyer.

We use cookies to provide the best experience